FTC The Latest To Discover 'Smart' Locks Are Dumb, Easily Compromised
from the dumb-is-the-new-smart dept
Like most internet of broken things products, we’ve noted how “smart” door locks often aren’t all that smart. More than a few times we’ve written about smart lock consumers getting locked out of their own homes without much recourse. Other times we’ve noted how the devices simply aren’t that secure, with one study finding that 12 of 16 smart locks they tested could be relatively easily hacked thanks to flimsy security standards, something that’s the primary feature of many internet of broken things devices.
This week, the FTC released a complaint (pdf) against Tapplock, the maker of a “smart,” fingerprint reading padlock the company’s website proclaims delivers “99.999% accuracy” while unlocking in “0.8 seconds.” In the complaint and a companion press release, the FTC makes it clear the products are clearly exploitable — either by simply unscrewing the back, or by hacking the device’s bluetooth link between the lock and its companion app. Based on the FTC complaint, the company did the bare minimum to ensure the devices were actually secure:
“We allege that Tapplock promised that its Internet-connected locks were secure, but in fact the company failed to even test if that claim was true,? said Andrew Smith, Director of the FTC?s Bureau of Consumer Protection. ?Tech companies should remember the basics?when you promise security, you need to deliver security.?
On top of that, the FTC noted that the company collected a notable amount of data including user location, lock locations, email addresses, and other data the company then failed to (surprise!) secure. In fact, the FTC goes so far to suggest that, like so many IOT companies, Tapplock failed to even have a basic security program to protect product integrity and consumer data:
“Contrary to the statements described in Paragraphs 8-11, Respondent did not take reasonable measures to secure its locks, or take reasonable precautions or follow industry best practices for protecting consumers? personal information. In fact, Respondent did not have a security program prior to the discovery of the vulnerabilities described…”
Granted this is the kind of action we need more of from the FTC in the internet of broken things era. But at the same time this is a drop in the bucket when you consider the mountain of companies — many outside of the reach of the FTC — that build internet-connected devices with flimsy to nonexistent security and privacy protections. As security experts like Bruce Schneier have long noted, there’s a market failure in the IOT space where neither the manufacturer nor the consumer have any incentive to do or demand better. Especially as it pertains to network-connected devices that aren’t clear about what data is being transmitted:
“The market can’t fix this because neither the buyer nor the seller cares. The owners of the webcams and DVRs used in the denial-of-service attacks don’t care. Their devices were cheap to buy, they still work, and they don’t know any of the victims of the attacks. The sellers of those devices don’t care: They’re now selling newer and better models, and the original buyers only cared about price and features. There is no market solution, because the insecurity is what economists call an externality: It’s an effect of the purchasing decision that affects other people. Think of it kind of like invisible pollution.”
Fixing the IOT mess will require a cross collaboration between researchers, consumers, academics, governments, and industry. But as Schneier has also noted, the incentive for such collaboration probably won’t materialize until after there’s a privacy scandal so severe it finally prompts us to collectively give a damn.
Filed Under: ftc, security, smart locks
Comments on “FTC The Latest To Discover 'Smart' Locks Are Dumb, Easily Compromised”
When it comes to IoT, "Just Say No!"
And we need to hope that the mentioned severe privacy scandal occurs before a severe death or serious injury scandal.
The devices connected to the IoT are smart…
On the other hand, the people making them and relying on them to be secure are blithering idiots.
Maybe IoT should be changed to Idiots Owning Technology.
Re: Re:
I have often wondered just what they are talking about when they advertise their smart products. Defining exactly what the word smart means is difficult at best but then attempting to apply it toward an inanimate object is just silly. Perhaps they want it to be intelligent, like in AI but do not know what that is either so they imly all sort of silly traits that no one is able to verify.
Oh yeah, and why connect the house door locks to the internet? What benefit is there? Seems there are plenty of items in the down side column and little to nothing in the up side, must be a product in search of a market.
Re: Re: Re:
If you would like to know who is coming and going while you’re not home. You want to unexpectedly let someone in the house while you’re on vacation. Probably other reasons I’m not thinking of.
Seriously?
I mean, if you’re unscrewing the back you’re already inside . . .
And its the exact same vulnerability a keyed deadbolt has – get inside, unscrew the facing, remove the deadbolt, open th . . . waitaminit
Re: Re:
It’s a padlock. Both sides accessible from outside whatever it is trying to lock up.
When will these companies learn?
The real money in IoT tat is the data you slurp. If even the below average scrip kiddie can easily get the company’s data then it is no longer the company’s proprietary data. Great work destroying your business model IoT tat makers.
Yep, there are some many things in this world that boil down to poorly manufactured, dangerous cyber crap from china (or india or something).
Re: Re:
China .. India .. it used to be Japan then Korea …
Seems it is just the next third world country to be exploited by the corporate outsourcing that has become so popular these days.
Re: Re: Re:
Hey, c’mon, now… we’ve proven we can build insecure, crappy IoT devices right here in the US. ‘Murrica demands its seat at the table!
There’s a common saying in information security circles:
I think that says it all.
While the buyers of random "smart" doohickeys may indeed have little reason to care if their security-challenged trinkets get used to DDoS someone they don’t know on the internet, it seems rather likely most buyers of locks do care if every kid with a smartphone can break into their property.
I had a couple of these locks given to me by a friend. Physical security was a joke – a rather light hit from a hammer would pop one open. Worse was that this piece of electronics wasn’t anywhere near waterproof and one week on an outside gate in the rain was enough to destroy one and make me get bolt cutters out.
But that’s not even the worst part. I like the idea of a fingerprint lock. Biometric security on a lock is convenient. No keys to carry or lose, no codes to forget, and the technology is getting rather robust. But then someone decided that the whole thing had to connect to the Internet to gather personal information instead of leaving it the closed loop device it could have been.
Oh, and a proprietary power supply, too. smh
Just another reason why I won’t use IoT devices. I’m a Homekit house which uses encryption. The downside is it’s iOS/Apple only, but being so, it’s much more secure. I still have NO Smart locks on my house. The closest to that would me my main Garage Door, which is how we leave my hour 99.9% of the time anyway, and that is SMART. There is no Smart Door Lock to access though. I can open it with my voice. Lift up my worst for my Apple Watch and just say "Open Garage" and it’ll open up.
Smart Lock
Thanks for the valuable post! Personally, I like smart locks for my home. These are good and easy to use. The locks are expensive but companies offer a warranty. For more information read the article: https://fobtoronto.ca/2020/09/19/are-smart-door-locks-safe/