
Cracking the Tapplock Smart Lock - edward
https://www.pentestpartners.com/security-blog/totally-pwning-the-tapplock-smart-lock/
======
mikestew
If they can crack it open with a 12" set of bolt cutters, the question of how
well the technology works becomes becomes moot in my book. I mean, nothing is
going to stand up to the bolt cutters I keep in my garage, but 12" can fit in
a coat pocket.

Okay, fine, I'm just going to use it at the gym and not to secure my Aston
Martin in the garden shed. Still, the key is generated from the openly-
broadcasted BLE MAC? You know, there is a vast chasm between even the rookie
security mistakes and "you should not be writing anything that requires even
the smallest amount of security", a vast chasm between "oopsie" and "I didn't
even know enough to know that I have to know that".

~~~
kevin_thibedeau
Your bolt cutters will chip and shatter when confronted by 16mm hardened
chain.

~~~
jiveturkey
sorry, what's that have to do with the lock in question?

~~~
logfromblammo
Mikestew claimed that nothing would stand up to the bolt cutters in their
garage.

Kivin_thibedeau presumed said bolt cutters do not fill a significant space in
said garage with hardened superalloy jaws and hydraulic power system, and
speculated on a common-enough material that could defeat any pair of manual
bolt cutters that a typical person would be likely to keep in their garage.

Now we just need a security geek to point out that you don't need to cut the
chain if you can defeat a weaker link in the security web. Example: lock bike
to street sign post with uncuttable chain and uncrackable lock; bike thief
unbolts sign, lifts bike and chain off post, and replaces sign.

~~~
jandrese
Eh, there are two kinds of bike thieves. The first kind show up in a van with
half a dozen buddies with a pocket angle grinders and empty out the lot in two
minutes. They are extremely rare but there's little defense.

The other kind are crackheads that just grab the bike and yank on it until the
chain breaks or the bike does. There's a whole market for expensive bike locks
that don't work against the first group and are overkill for the second.

The kind of bike thief that carries a wrench so they can unbolt the stop sign
and then puts it back afterward doesn't exist. Plus they have to deal with a
bike that still has an awkward bike lock hanging off of it.

~~~
dual_basis
[https://www.google.com/amp/s/wgno.com/2018/02/09/watch-
thief...](https://www.google.com/amp/s/wgno.com/2018/02/09/watch-thief-remove-
street-signs-to-steal-bike-locked-to-stop-sign/amp/)

~~~
beenBoutIT
I'm amazed the guy didn't bother to put the stop sign back up.
[http://www.cnn.com/US/9706/20/stop.sign/index.html](http://www.cnn.com/US/9706/20/stop.sign/index.html)

~~~
logfromblammo
Yeah, the idea that the thief would put it back was kind of a stretch.

------
Gys
> Tapplock already knew about the issues, but continue to sell the lock on
> Amazon and have failed to make customers aware. I can’t think of any other
> term but “immoral” to describe this. It’s an abuse of trust.

------
astura
>This issue is remarkably similar to the problem with the Ring Smart Doorbell
– it was impossible to revoke another high privilege users permissions.

This is given as an unhyperlinked throwaway comment, but my interest is
piqued. Does anyone have a write up on this?

~~~
rickboyce
I guess it’s referring to this post:
[https://www.pentestpartners.com/security-blog/steal-your-
wi-...](https://www.pentestpartners.com/security-blog/steal-your-wi-fi-key-
from-your-doorbell-iot-wtf/)

~~~
mbu
That's a much happier story in that Ring seemed to understand the issue and
had a rapid response with a fix. I guess we will see what Tapplock actually
does but it seems far more fundamentally terrible.

------
mfkp
Why anyone would want a bluetooth-enabled / battery powered padlock is beyond
me.

If you want high security, get a lock from a trusted brand (e.g. ABUS) with a
thick hardened steel shackle.

If you want convenience (e.g. no key for a gym locker), get something like a
WordLock: [https://www.amazon.com/Wordlock-PL-056-SL-Combination-
Sports...](https://www.amazon.com/Wordlock-PL-056-SL-Combination-Sports-
Lock/dp/B002BH3NKY/)

No need to spend $100 on a lock to save yourself 2 seconds unlocking. Maybe
I'm missing something, can anyone can think of a better use case?

~~~
shabble
> If you want convenience (e.g. no key for a gym locker), get something like a
> WordLock

Preferably not the one shown here[1]

[1]
[https://www.youtube.com/watch?v=8Uci2KsGGsw](https://www.youtube.com/watch?v=8Uci2KsGGsw)

------
whynotkeithberg
This is probably one of the craziest easy tests I've read about in a bit.

~~~
sp332
Similar bug from 2000
[https://twitter.com/WeldPond/status/1006985126058831873](https://twitter.com/WeldPond/status/1006985126058831873)
"Security engineering is not learning from past root causes"

