Remember last week’s ROTFL story about the $99 digital padlock that could be opened in just two seconds without an angle grinder or a bolt cutter?
Canadian internet of things (IoT) startup Tapplock learned the hard way why you should never knit your own cryptography – unless you’re a proper cryptographer, of course.
UK penetration testing company Pen Test Partners took a glance at Tapplock’s cool-sounding, fingerprint scanner-equipped, Bluetooth-speaking padlock and almost immediately noticed that the “secret” code for each lock could be calculated directly from the lock’s Bluetooth network address.
Because network MAC addresses aren’t meant to be secret – in fact, they’re specifically designed to be broadcast publicly, in order for the network to function – they aren’t, errrrrr, well, they aren’t secrets!
Using your padlock’s public MAC address as your secret padlock access code is like writing the PIN of your bank card on the front in LARGE DIGITS, using an indelible marker pen.
As a result, Pen Test Partners managed to create an “unlock any Tapplock” program that could open any lock in just two seconds, compared to the 0.8 seconds required for the official app to open a specific lock.
Sadly, it gets much worse.
Turns out you don’t need to spend two seconds, or even to use an unofficial unlocking app.
Tapplock’s cloud-based administration tools were as vulnerable as the lock, as Greek security researcher Vangelis Stykas found out very rapidly.
Amusingly, Stykas, an independent researcher who has to buy all his own kit for testing, went down the software-only route for simple practical reasons:
I did not have any locks (and I am out of IoT budget for this month as my wife has -kindly- informed me).
Turns out he saved himself $99, and ended up with a faster and even more generic Tapplock-cracking trick than PTP’s “figure out the key by sniffing the MAC address” hack.
Stykas found that once you’d logged into one Tapplock account, you were effectively authenticated to access anyone else’s Tapplock account, as long as you knew their account ID.
You could easily sniff out account IDs because Tapplock was too lazy to use HTTPS (secure web connections) for connections back to home base – but you didn’t really need to bother, because account IDs were apparently just incremental IDs anyway, like house numbers on most streets.
As a result, Stykas could not only add himself as an authorised user to anyone else’s lock, but also read out personal information from that person’s account, including the last location (if known) where the Tapplock was opened.
Incredibly, Tapplock’s back-end system would not only let him open other people’s locks using the official app, but also tell him where to find the locks he could now open!
Of course, this gave him an unlocking speed advantage over Pen Test Partners – by using the official app Stykas needed just 0.8 seconds to open a lock, instead of the sluggish two seconds needed by the lock-cracking app.
Note. Stykas didn’t prove his point by trying out likely account IDs until he got lucky. He specifically asked for, and received permission, to use one of the Pen Test Partner’s test accounts. This means he didn’t need to risk reading someone else’s personal information just to prove his point. Cybercrooks, of course, have no such scruples.
What to do?
- Tapplock user? Get and install any and all patches provided. Apparently, the company has now addressed the most obvious web portal holes (guessable account IDs and no HTTPS), but we assume an app update will be needed as well.
- Web programmer? Don’t make account IDs easy to guess. In an otherwise secure system, account numbers that go 1,2,3… shouldn’t be a problem, but why make it easy?
- Service delivery manager? Don’t allow plain HTTP any more. Make sure your servers insist upon HTTPS connections, and update your client software to use HTTPS exclusively.
By the way, if you’re an IoT entrepreneur, why not try something a bit different?
Don’t let your programmers invent their own cryptography, don’t take their word for it that your cool new product will stand up to public cybersecurity scrutiny, and don’t cut GDPR corners with your customers’ data – you’re more likely than ever to get found out.
Be an IoT trendsetter – cybersecurity as value, not cost!