FTC The Latest To Discover 'Smart' Locks Are Dumb, Easily Compromised

from the dumb-is-the-new-smart dept

Like most internet of broken things products, we’ve noted how “smart” door locks often aren’t all that smart. More than a few times we’ve written about smart lock consumers getting locked out of their own homes without much recourse. Other times we’ve noted how the devices simply aren’t that secure, with one study finding that 12 of 16 smart locks they tested could be relatively easily hacked thanks to flimsy security standards, something that’s the primary feature of many internet of broken things devices.

This week, the FTC released a complaint (pdf) against Tapplock, the maker of a “smart,” fingerprint reading padlock the company’s website proclaims delivers “99.999% accuracy” while unlocking in “0.8 seconds.” In the complaint and a companion press release, the FTC makes it clear the products are clearly exploitable — either by simply unscrewing the back, or by hacking the device’s bluetooth link between the lock and its companion app. Based on the FTC complaint, the company did the bare minimum to ensure the devices were actually secure:

“We allege that Tapplock promised that its Internet-connected locks were secure, but in fact the company failed to even test if that claim was true,? said Andrew Smith, Director of the FTC?s Bureau of Consumer Protection. ?Tech companies should remember the basics?when you promise security, you need to deliver security.?

On top of that, the FTC noted that the company collected a notable amount of data including user location, lock locations, email addresses, and other data the company then failed to (surprise!) secure. In fact, the FTC goes so far to suggest that, like so many IOT companies, Tapplock failed to even have a basic security program to protect product integrity and consumer data:

“Contrary to the statements described in Paragraphs 8-11, Respondent did not take reasonable measures to secure its locks, or take reasonable precautions or follow industry best practices for protecting consumers? personal information. In fact, Respondent did not have a security program prior to the discovery of the vulnerabilities described…”

Granted this is the kind of action we need more of from the FTC in the internet of broken things era. But at the same time this is a drop in the bucket when you consider the mountain of companies — many outside of the reach of the FTC — that build internet-connected devices with flimsy to nonexistent security and privacy protections. As security experts like Bruce Schneier have long noted, there’s a market failure in the IOT space where neither the manufacturer nor the consumer have any incentive to do or demand better. Especially as it pertains to network-connected devices that aren’t clear about what data is being transmitted:

“The market can’t fix this because neither the buyer nor the seller cares. The owners of the webcams and DVRs used in the denial-of-service attacks don’t care. Their devices were cheap to buy, they still work, and they don’t know any of the victims of the attacks. The sellers of those devices don’t care: They’re now selling newer and better models, and the original buyers only cared about price and features. There is no market solution, because the insecurity is what economists call an externality: It’s an effect of the purchasing decision that affects other people. Think of it kind of like invisible pollution.”

Fixing the IOT mess will require a cross collaboration between researchers, consumers, academics, governments, and industry. But as Schneier has also noted, the incentive for such collaboration probably won’t materialize until after there’s a privacy scandal so severe it finally prompts us to collectively give a damn.

Filed Under: , ,

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “FTC The Latest To Discover 'Smart' Locks Are Dumb, Easily Compromised”

Subscribe: RSS Leave a comment
Anonymous Coward says:

Re: Re:

I have often wondered just what they are talking about when they advertise their smart products. Defining exactly what the word smart means is difficult at best but then attempting to apply it toward an inanimate object is just silly. Perhaps they want it to be intelligent, like in AI but do not know what that is either so they imly all sort of silly traits that no one is able to verify.

Oh yeah, and why connect the house door locks to the internet? What benefit is there? Seems there are plenty of items in the down side column and little to nothing in the up side, must be a product in search of a market.

Agammamon says:

the FTC makes it clear the products are clearly exploitable — either by simply unscrewing the back


I mean, if you’re unscrewing the back you’re already inside . . .

And its the exact same vulnerability a keyed deadbolt has – get inside, unscrew the facing, remove the deadbolt, open th . . . waitaminit

Anonymous Coward says:

I had a couple of these locks given to me by a friend. Physical security was a joke – a rather light hit from a hammer would pop one open. Worse was that this piece of electronics wasn’t anywhere near waterproof and one week on an outside gate in the rain was enough to destroy one and make me get bolt cutters out.

But that’s not even the worst part. I like the idea of a fingerprint lock. Biometric security on a lock is convenient. No keys to carry or lose, no codes to forget, and the technology is getting rather robust. But then someone decided that the whole thing had to connect to the Internet to gather personal information instead of leaving it the closed loop device it could have been.

Oh, and a proprietary power supply, too. smh

Anonymous Coward says:

Just another reason why I won’t use IoT devices. I’m a Homekit house which uses encryption. The downside is it’s iOS/Apple only, but being so, it’s much more secure. I still have NO Smart locks on my house. The closest to that would me my main Garage Door, which is how we leave my hour 99.9% of the time anyway, and that is SMART. There is no Smart Door Lock to access though. I can open it with my voice. Lift up my worst for my Apple Watch and just say "Open Garage" and it’ll open up.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...