
The Tapplock IoT padlock has multiple security vulnerabilities - ptx
https://nakedsecurity.sophos.com/2018/06/18/the-worlds-worst-smart-padlock-its-even-worse-than-we-thought/
======
tomsmeding
> Web programmer? Don’t make account IDs easy to guess. In an otherwise secure
> system, account numbers that go 1,2,3… shouldn’t be a problem, but why make
> it easy?

Is that the best advice to web programmers they can give based on this story?
That's the "obscurity" part in the security by obscurity scheme. If you've got
your security otherwise nailed down fine, some obscurity on the top doesn't
hurt: security-in-depth, people seem to call that. But use only the obscurity,
and only one person has to find out how your scheme works, and it's game over.

I'd, you know, recommend to think about authentication. Your authentication
state is not "logged in", it's "logged in as user X". So the code that decides
whether a client can see a specific page can and should (!) depend on what
specifically you're authenticated as.

Oh, and yes, this company has proved that they don't know the least thing
about security. But that was clear already.

~~~
friendzis
> Your authentication state is not "logged in", it's "logged in as user X". So
> the code that decides whether a client can see a specific page can and
> should (!) depend on what specifically you're authenticated as.

"the code that decides whether a client can see a specific page" should not
care about authentication, this is authorization issue. I see these things
conflated too often.

Identification, Authentication and Authorization are three different beasts.
Separate identification seems unnecessary complication, which it is in simple
web app, but in a more complicated case where ID is not user supplied (login
over external service, read ID from smart card, etc.) it can become a
necessity, which can be embedded into authentication mechanism. Authentication
mechanism should only provide "authenticated" and similar (e.g.
"authentication security level") flags, because authentication at its root is
a mechanism to establish trust that client has control of certain ID, nothing
more.

~~~
phito
Sometimes I wonder how technology can work, when so many people working in the
field are unable to grasp the basic concepts of it

~~~
chii
Either the competent pulls way more than their weight, or luck.

~~~
yjftsjthsd-h
Also the really bad stuff sometimes dies under its own weight. Natural
selection occasionally works.

------
newsbinator
In a different market, with a different product, this could have been a funny
success story 10 years later.

Something like:

> "when we launched, our [thing] was totally insecure and we had just thrown
> together a bunch of spaghetti code over nights and weekends- anything that
> would ship. Then when we hit it big we started investing in the process and
> now our [thing] is the best, most secure one on the market"

Too bad in this case [thing] is a lock, where proper security is it's primary,
and single reason for existing. There's no 10 years later for this one.

------
snowwolf
“Invincible to the people who do not have a screwdriver”

[https://boingboing.net/2018/06/15/high-tech-lock-is-
invincib...](https://boingboing.net/2018/06/15/high-tech-lock-is-
invincible.html)

Which incidentally is also maybe and issue for tapplock

[https://www.theregister.co.uk/2018/06/15/taplock_broken_scre...](https://www.theregister.co.uk/2018/06/15/taplock_broken_screwdriver/)

~~~
user5454
> “Invincible to the people who do not have a screwdriver”

or a mobile phone.. or access to the Internet..

------
hatsunearu
Genuinely curious how people still manage to fuck up this kind of super basic
secure coding practices

~~~
rapsey
IoT devices are generally built and programmed by electronic engineers. They
have no knowledge about software security and neither do they care.

~~~
lnsru
That’s wrong. An engineer has a couple managers above. Product, project,
platform manager. You name it. Engineer is just another blue collar worker
nowadays. No decision making power. I was not allowed to save company $40k,
they told that numbers shouldn’t interest me. If management says, we need no
encryption and authentifition, it’s totally ok. I just print their emails with
this statement for later.

~~~
dpark
Engineering is absolutely not blue collar, but this has nothing to do with the
issue you’re facing. If you found an opportunity to save $40k and they said
you shouldn’t care about numbers, then either you have poor management or
there’s more to the story that you didn’t share. At the very least competent
management should have been able to explain why saving the $40k was the wrong
trade off.

~~~
lnsru
Yes, competent management. Didn’t experienced much companies having it. With
competent management I could save my salary for couple years in this project
alone. The client ist other branch of the same company. I could design a pcb
with components for our needs, instead of that management wants to go with
expensive 3rd party module having all bells and whistles on it.

Edit: pcb design is risky. But the system is very primitive having voltage
regulator and single integrated circuit in it. I doubt this department with
current performance would survive as independent company.

------
ptx
I wonder why the "message" field in the response says "API调用成功" ("API call
succeeded", I think?) if this is a Canadian company. Did they just buy the
locking solution from some Chinese OEM?

~~~
jon-wood
Yes, almost certainly. One of the IoT industry's dirty little secrets is that
just about everyone is just rebadging OEM hardware from China, and often doing
a minimum of due diligence on that hardware.

(Disclaimer: I work for an IoT startup. We have an in-house security engineer,
and contract pen testers who we call in to do physical and software tests
against any new hardware we ship)

~~~
majewsky
That's not a "Disclaimer", that's a "Source".

------
vivan
This is a problem you see with a model of security where they have security on
the front end (meaning the user can only see the bits they should have access
to in the UI) but then the back end API is pretty much open to any
authenticated user. The idea being that nobody should be able to send API
requests if the UI isn't there.

It is a stupid practice.

I "hacked" a student newspaper back when I was at university with a similar
"hack". They decided to roll their own CMS rather than using something like
Wordpress, because, you know... that makes sense for a small team with little
experience.

The user settings page was something like /user/edit/{userid}. I noticed that
you can actually change _any_ user's settings (including login) by just
changing the userid. So, of course, you just change it to 1 because the first
user will inevitably be the admin. This gave control over the whole system.

------
bobbles
>What to do?

>Tapplock user? Get and install any and all patches provided. Apparently, the
company has now addressed the most obvious web portal holes (guessable account
IDs and no HTTPS), but we assume an app update will be needed as well.

Also, stop being a Tapplock user

------
pedroaraujo
I thought this was a blog post about the guy who simply unlocked the padlock
using a GoPro mount
([https://www.youtube.com/watch?v=RxM55DNS9CE](https://www.youtube.com/watch?v=RxM55DNS9CE)
\- the video is worth watching from the beginning) but this was more amusing
than I was expecting.

Nothing went right in the design of this padlock.

~~~
ptx
Apparently that was a quality-control issue with his lock - the lock is
designed to have a small metal pin that prevents rotating the back, but it was
defective on his lock.

~~~
mikestew
Same quality control that allows the shackle to be snipped with a 12" set of
bolt cutters? It's almost as if at every turn, of two possible decisions, they
consistently chose the wrong one.

------
thisisit
> Canadian internet of things (IoT) startup Tapplock learned the hard way why
> you should never knit your own cryptography

If they wanted to knit their own cryptography, then cryptocurrency and ICO was
their place to be.

~~~
raverbashing
Don't give them any ideas. Or they will want to save lock/unlock data to a
blockchain, then read from it in order to unlock your padlock.

------
notnot
This may seem unrelated but I watched "The Disaster Artist" for the first time
last night. It made me cringe, not for Wiseau but by reminding me of all the
times I've been a Wiseau in my life as I disconnected from reality caught up
in some fantasy of how I was going to make the world love me by something I
was going to do. Reality can be a brutal place for the ego, but at least it's
real.

"I'm going to make my own Bluetooth smart-lock. It's gonna be amaaaazing. Oh
hai Mark."

------
air7
> You could easily sniff out account IDs because Tapplock was too lazy to use
> HTTPS.

SSL benefits are generally over-hyped IMO and might give a false sense of
being 'Secure' as in this article where such an obviously flawed system
receives "use SSL" as one of two recommendations.

The idea that unencrypted traffic allows any hacker to easily sniff it is
wrong and misleading. The eavesdropper needs to be "close": In the same LAN as
the target, or upstream of it, i.e on the same wifi (needs to be physically
there, know/hack the wifi password and performing an ARP spoofing attack), or
being/hacking the ISP itself.

Of course I'm not saying SSL _shouldn 't_ be used, only that it's a secondary
security measure, like using a seat-belts vs having good breaks.

~~~
annabellish
Almost all flaws are "not that serious" on their own, because people aren't
generally _that_ dumb.

"You can find out somebody's account ID" isn't that big a problem in the
presence of other decent mitigations. Without those mitigations, of which
HTTPS is one to prevent request spoofing, everything is terrible.

~~~
zip1234
I agree, the account ID is a complete non-issue as long as each endpoint
limits results to the account ID associated with the credentials.

------
shroom
> ”Incredibly, Tapplock’s back-end system would not only let him open other
> people’s locks using the official app, but also tell him where to find the
> locks he could now open!”

Never heard of this product before but what a hilarious read. They seem to fix
some of the issues pretty quick. But what a nightmare IoT are. I’m stressed
out by not keeping up to date with computer/phone updates (mostly because I
wait a bit to ensure programs I use still work). Can’t imagine owning even
more products that I have to maintain software updates on...

------
thatswrong0
These seem like mistakes one would make if one was using tutorials to build a
Rails application for the first or second time ever.

------
tqkxzugoaupvwqr
The article recommends: > Don’t allow plain HTTP any more. Make sure your
servers insist upon HTTPS connections, and update your client software to use
HTTPS exclusively.

Does this mean I should turn off HTTP completely? Right now, I redirect any
incoming HTTP requests to HTTPS. Is this considered insecure?

~~~
raesene9
So it depends on your client population. If you've got general browsers
hitting your site, I think HTTP-->HTTPS is a reasonable trade off and stops
the poor experience of a user putting your site name into the browser bar and
getting told there's no site there.

If you control the client population, as in this case, there's no real need to
allow HTTP at all, so I'd just disable it and have HTTPS only.

~~~
Avamander
Have your domain HSTS preloaded and every proper browser will automatically
redirect without you having to.

------
sschueller
As mentioned in the article. Jerry Rig Everything did a review on this and
found that you can just twist off the back...[1]

[1]
[https://youtu.be/RxM55DNS9CE?t=3m39s](https://youtu.be/RxM55DNS9CE?t=3m39s)

~~~
maaark
Taplock claim that was an exceptional unit and a spring loaded pin normally
prevents this. Another researcher couldn't make it work.

Still fucked tho

------
imtringued
There's an upside to the terrible security: no fingers have to be chopped to
gain access.

------
thomasfedb
Utterly horrifying, but ultimately irrelevant. No lock of this size is meant
to be anything other than inconvenient to open. Angle grinders are cheap, and
more easily wielded than HTTP request crafting.

~~~
raesene9
however there are cases where an attacker doesn't want to arouse suspicion,
and Angle grinders are kind of noticable.

This would allow for an attack where the lock appears to be operating
successfully, but someone has unauthorised access.

~~~
thomasfedb
For this reason the scariest bit is the ability to access account information
via their online systems - sounds like a map of locks that aren't locks.

~~~
imtringued
Why the hell do they store the location data of the locks. Are they secretly
selling the location and unlock access to governments?

------
slivym
Frankly, this all seems like quite a lock of fuss over nothing. Firstly, pad
locks are generally very easy to just break open with a set of bolt cutters.
Particularly, if you look at more secure traditional pad locks practically all
of them share physical design features intended at minimizing the amount of
the actual shackle that's accessible. So to be clear- the second you see the
shape of that padlock you know that it's not designed to be super secure.

With that in mind - which are you more worried about? Something spoofing your
Bluetooth pass code using some advanced tech, physically unscrewing the back
and deconstructing the padlock, or the third option: chop open the shackle?

What I find amazing is that they thought they advertise this product as more
secure than any other padlock with the same mechanism. This padlock is a
finger print padlock, maybe people like that convenience, but don't try and
pretend physical security isn't a concern.

~~~
crottypeter
If someone chops open your padlock you find out about it next time you see it.

The vulnerabilities in the article might go unnoticed, so the user keeps
locking gates, chains, whatever with the bad lock and the crooks can come
again and again and rifle through your shed, garage, whatever.

It is absolutely worse than a chopped padlock.

