The $99 digital padlock that kept crooks out… for 2 whole seconds

Imagine if you could walk up to your bicycle, unlock it within two seconds, and ride off without grubbing in your pocket for keys, without spinning a combination dial with cold, wet hands, and without fiddling around with a mobile phone app to tell the lock to open.

What if you could just swipe your finger over the lock and open it as easily as you unlock your mobile phone with its fingerprint scanner?

Well, Canadian company Tapplock sells a product that not only works that way, but also boasts “unbreakable design”.

Admittedly, the small print on its website ultimately tones that punchy claim down to say “virtually unbreakable”, but the Tapplock is certainly pitched as a secure product.

Tapplock claims that unlocking takes just 0.8 seconds, and that up to 500 different fingerprints can be registered with the lock, making it suitable for even the most extended family.

Those cool features are supposed to be what makes the Tapplock cost a bullish $99 – big money for a padlock.

Unfortunately, as well-known UK hackers-and-crackers (we mean this in a neutral sense, of course!) Pen Test Partners (PTP) rather too rapidly discovered

…the Tapplock’s unbreakability was, indeed, virtual rather than actual.

PTP researchers were able to write an app that unlocked any Tapplock in just 2 seconds, compared to 0.8 seconds for one that was opened using a fingerprint or Tapplock’s own secure app.

Additionally, they found that the protocol used to grant access to multiple users access couldn’t handle revocation.

That’s a fancy way of saying that the unlock code transmitted to the lock was identical for every user, which is like having the same password for every account on a server – if one person goes rogue, you can’t lock them out without locking everyone else out, too.

Conventional locks suffer from the same problem, of course. Once you’ve given a friend a copy of the key to your flat, you can’t keep them out in future without changing the lock. Even if they give you back their copy of the key, you can’t be sure they haven’t made their own copy of the copy for later.

Copying the key

The “one key to rule them all” was found by running a Bluetooth traffic sniffer on Tapplock’s app-to-lock communication, and recording the data stream that was transmitted when two different users unlocked it.

Lo and behold, the data was the same every time, meaning that the Tapplock is no more flexible in respect of multiple users than a conventional lock with a physical key – once made, a copy of the digital “key” works over and over again.

Given that the Tapplock app allows to you add and remove users, and pitches its multi-user capability as a cool feature to help you justify spending $99 on a padlock…

…that discovery didn’t fill Pen Test Partners with confidence.

Reconstructing the key

Copying a Tapplock key turned out to be trivial, but that only allows a crook to open a lock for which they’ve already sniffed out an app-to-key Bluetooth conversation.

In other words, being able to clone an existing key is bad, but nowhere near as bad as getting a skeleton key that will open locks you haven’t seen before.

So PTP’s next step was to try to answer the question, “How is the block of random-looking key data computed?”

The researchers found that Tapplock derived the key for the lock not from a shared secret that you could choose yourself, but directly from the MAC address (the physical network ID) of the lock’s Bluetooth network hardware.

That’s bad!

We’ve written about MAC-address-used-as-password SNAFUs before, because there’s never an excuse for using a network card’s hardware address as the basis to construct a secret.

Repeat after me: MAC addresses aren’t secret, because their purpose is to be publicly unique.

Indeed, the MAC is openly added to every network packet sent from a specific device precisely because it is unique, and is therefore a convenient way of tagging packets so their source can easily be identified.

Because of this, the researchers were able to write an app that could rapidly generate the keycode for any Tapplock as soon as it sent out network traffic over Bluetooth.

As a result, the “open any lock” app takes just 2 seconds compared to the “open one specific lock” app’s 0.8 seconds.

What to do?

Deriving a keycode from a computer’s MAC address is like using your username as your password: it was a terrible idea back in 1988, and it’s a similarly terrible idea in 2018.

Tapplock has acknowledged Pen Test’s findings in an official communique:

Tapplock is pushing out an important security patch. Please be attentive to update your app once it becomes available to your region. We highly recommend you also upgrading the firmware of your locks to get the latest protection.

This patch addresses several Bluetooth / communication vulnerabilities that may allow unauthorised users to illegal gain access. Tapplock will continue to monitor the latest security trends and provide updates from time to time.

Many thanks to the Pen Test Partners for the timely prompt and ethical disclosure.

It’s not immediately clear how upgrading the app is an “important security patch” while upgrading the firmware of the lock itself is merely “highly recommended”…

…so if you have a Tapplock, be sure to do both.