Hacker News new | past | comments | ask | show | jobs | submit login
Cracking the Tapplock Smart Lock (pentestpartners.com)
99 points by edward 10 months ago | hide | past | web | favorite | 20 comments

If they can crack it open with a 12" set of bolt cutters, the question of how well the technology works becomes becomes moot in my book. I mean, nothing is going to stand up to the bolt cutters I keep in my garage, but 12" can fit in a coat pocket.

Okay, fine, I'm just going to use it at the gym and not to secure my Aston Martin in the garden shed. Still, the key is generated from the openly-broadcasted BLE MAC? You know, there is a vast chasm between even the rookie security mistakes and "you should not be writing anything that requires even the smallest amount of security", a vast chasm between "oopsie" and "I didn't even know enough to know that I have to know that".

Using bolt cutters is pretty obvious, both during the break in and afterwards. And a serious inconvenience.

A hack will likely be practically impossible to detect afterwards and could even be made to look legitimate. Anyone in that gym locker room will believe I was the owner when I opened your lock and took your phone out.

However, a skilled lock picker will pick most locks very quickly anyway (but it will at least look suspicious).

Your bolt cutters will chip and shatter when confronted by 16mm hardened chain.

sorry, what's that have to do with the lock in question?

Mikestew claimed that nothing would stand up to the bolt cutters in their garage.

Kivin_thibedeau presumed said bolt cutters do not fill a significant space in said garage with hardened superalloy jaws and hydraulic power system, and speculated on a common-enough material that could defeat any pair of manual bolt cutters that a typical person would be likely to keep in their garage.

Now we just need a security geek to point out that you don't need to cut the chain if you can defeat a weaker link in the security web. Example: lock bike to street sign post with uncuttable chain and uncrackable lock; bike thief unbolts sign, lifts bike and chain off post, and replaces sign.

Eh, there are two kinds of bike thieves. The first kind show up in a van with half a dozen buddies with a pocket angle grinders and empty out the lot in two minutes. They are extremely rare but there's little defense.

The other kind are crackheads that just grab the bike and yank on it until the chain breaks or the bike does. There's a whole market for expensive bike locks that don't work against the first group and are overkill for the second.

The kind of bike thief that carries a wrench so they can unbolt the stop sign and then puts it back afterward doesn't exist. Plus they have to deal with a bike that still has an awkward bike lock hanging off of it.

The kind of bike thief ... doesn't exist

Not picking on you, I just like telling this story :-)

In the mid 90's a couple I know went to a party on Manhattan's Upper West Side. When they came back to their car (a VW Golf) and opened the doors, wife said "what's all this stuff on the seat?" Then they noticed the stereo was gone.

The thief had broken the little quarter panel window and reached in to open the door. Then he carefully took the dashboard apart, neatly stacking the panel sections and screws on the front passenger seat, until he could remove the stereo and leave.

Besides the breaking of the tiny window, there was absolutely no damage to the car. This guy took his time and did a professional job. Talk about pride in your work :-)

I'm amazed the guy didn't bother to put the stop sign back up. http://www.cnn.com/US/9706/20/stop.sign/index.html

Yeah, the idea that the thief would put it back was kind of a stretch.

Link doesn't work in EU.

> Tapplock already knew about the issues, but continue to sell the lock on Amazon and have failed to make customers aware. I can’t think of any other term but “immoral” to describe this. It’s an abuse of trust.

>This issue is remarkably similar to the problem with the Ring Smart Doorbell – it was impossible to revoke another high privilege users permissions.

This is given as an unhyperlinked throwaway comment, but my interest is piqued. Does anyone have a write up on this?

That's a much happier story in that Ring seemed to understand the issue and had a rapid response with a fix. I guess we will see what Tapplock actually does but it seems far more fundamentally terrible.

Why anyone would want a bluetooth-enabled / battery powered padlock is beyond me.

If you want high security, get a lock from a trusted brand (e.g. ABUS) with a thick hardened steel shackle.

If you want convenience (e.g. no key for a gym locker), get something like a WordLock: https://www.amazon.com/Wordlock-PL-056-SL-Combination-Sports...

No need to spend $100 on a lock to save yourself 2 seconds unlocking. Maybe I'm missing something, can anyone can think of a better use case?

> If you want convenience (e.g. no key for a gym locker), get something like a WordLock

Preferably not the one shown here[1]

[1] https://www.youtube.com/watch?v=8Uci2KsGGsw

Shared access to shared resources, like a rented storage unit, or anywhere combo locks are used by multiple people. Somewhere between work, with a professional security team and people I've never met, and my home, with a very very short list of people with keys, is the use case for Masterlock's version of this product (because I've used it/their app; I can't speak to the linked product's app).

I rent workshop space with several other people in a shared warehouse (think semi-private TechShop), and the previous two options are keys, which get lost and is one more thing to keep track of, or a combo lock, where the three numbers can be shared with friends, and in the end there's no way to know who has access unless the combo gets changed, plus it's something to forget. Having a Bluetooth enabled lock allows us to grant, but more importantly revoke access over the Internet.

The lock itself does not need Internet access via WiFi.

This is probably one of the craziest easy tests I've read about in a bit.

Similar bug from 2000 https://twitter.com/WeldPond/status/1006985126058831873 "Security engineering is not learning from past root causes"

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact