How do an IoT smart lock, a YouTuber, and a pen tester fit together into a single story on cybersecurity?
Let's just say it has something to do with a healthy sense of curiosity.
IoT smart lock hack: the lock
First of all, there is the lock. It's a fingerprint reading smart padlock called Tapplock, which can also be unlocked via an app over Bluetooth.
Look how sleek this thing is. No wonder it has won design awards and been highly praised by online reviewers and tech sites. No more having to remember your key or a combo. Isn't the Internet of Things just the best?
But in this day and age of testing, poking, and prodding sweet new IoT devices like Tapplock, the claim of "Unbreakable design" got put to the test.
IoT smart lock hack: the YouTuber
It started a couple of weeks ago when YouTuber "JerryRigEverything" showed himself testing the idea that Tapplock had unbreakable physical security. Shockingly, he never had to cut its shackle; he just took it apart using a sticky GoPro mount. Watch it for yourself:
So is Tapplock unbreakable? Um, well... not exactly.
IoT smart lock hack: the pen tester
The YouTube video on Tapplock's physical security then got a penetration tester wondering about the cybersecurity of this IoT smart lock. A pen tester's job is to poke and prod things to look for holes in cybersecurity, and they are often hired by companies to find these vulnerabilities before the bad guys do.
Tapplock's website boasts about its cybersecurity, saying the smart lock is built with "the same encryption used by the military to protect documents with confidential and secret security levels."
So was Tapplock's cybersecurity any better than its physical security?
Andrew Tierney of Pen Test Partners, based in the UK, went to work investigating how the lock communicated with the device's app. Shockingly, in a few minutes, he discovered how to unlock Tapplock with a 2-second hack.
"Normally I love reading about IoT hacks that take time, effort and ingenuity, but I can’t do that here. In under 45 minutes, we had the ability to walk up to any Tapplock and unlock it.
First things first, the app communicates over HTTP. There is no transport encryption. This is unforgivable in 2018," Tierney posted.
In fact, he says he was so stunned by how bad the cybersecurity was on the device that he thought maybe he had received a knockoff or counterfeit.
He confirmed with Tapplock that the device and the app were indeed authentic.
Next, he was able to push the "unlock" code to an Android device, so he had the power to unlock things right from his phone.
"I scripted the attack up to scan for Tapplocks and unlock them. You can just walk up to any Tapplock and unlock it in under 2s. It requires no skill or knowledge to do this."
Can you imagine one of those bike locker rooms where a group of thieves walk in, their phones unlock the Tapplock padlocks in the room, and they roll away within seconds? Now that's the scary side of the Internet of Things.
IoT smart lock hack: Tapplock responds
The pen tester notified Tapplock about the vulnerability, and this is one of those cases where this kind of security research makes a difference.
"Tapplock is pushing out an important security patch. Please be attentive to update your app once it becomes available to your region. We highly recommend you also upgrading the firmware of your locks to get the latest protection.
This patch addresses several Bluetooth / communication vulnerabilities that may allow unauthorised users to illegal gain access. Tapplock will continue to monitor the latest security trends and provide updates from time to time.
Many thanks to the Pen Test Partners for the timely prompt and ethical disclosure."
Wow, talk about getting credit for your work!
One of the big things that remains unsettling here is that Tapplock will suggest users upgrade the firmware of the locks. In most cases people simply do not do this for a variety of reasons. We'll save that for next time.
But in this case, now you know how an IoT smart lock, a YouTuber, and a pen tester fit together into a single story on cybersecurity.
More: Situations like this one show why a new IoT security framework was introduced in 2018. The rush to market will make this an ongoing issue. And so will the fact that IoT Security Is a 3-Dimensional Problem.