FTC The Latest To Discover 'Smart' Locks Are Dumb, Easily Compromised

from the dumb-is-the-new-smart dept

Like most internet of broken things products, we've noted how "smart" door locks often aren't all that smart. More than a few times we've written about smart lock consumers getting locked out of their own homes without much recourse. Other times we've noted how the devices simply aren't that secure, with one study finding that 12 of 16 smart locks they tested could be relatively easily hacked thanks to flimsy security standards, something that's the primary feature of many internet of broken things devices.

This week, the FTC released a complaint (pdf) against Tapplock, the maker of a "smart," fingerprint reading padlock the company's website proclaims delivers "99.999% accuracy" while unlocking in "0.8 seconds." In the complaint and a companion press release, the FTC makes it clear the products are clearly exploitable -- either by simply unscrewing the back, or by hacking the device's bluetooth link between the lock and its companion app. Based on the FTC complaint, the company did the bare minimum to ensure the devices were actually secure:

"We allege that Tapplock promised that its Internet-connected locks were secure, but in fact the company failed to even test if that claim was true,” said Andrew Smith, Director of the FTC’s Bureau of Consumer Protection. “Tech companies should remember the basics—when you promise security, you need to deliver security.”

On top of that, the FTC noted that the company collected a notable amount of data including user location, lock locations, email addresses, and other data the company then failed to (surprise!) secure. In fact, the FTC goes so far to suggest that, like so many IOT companies, Tapplock failed to even have a basic security program to protect product integrity and consumer data:

"Contrary to the statements described in Paragraphs 8-11, Respondent did not take reasonable measures to secure its locks, or take reasonable precautions or follow industry best practices for protecting consumers’ personal information. In fact, Respondent did not have a security program prior to the discovery of the vulnerabilities described..."

Granted this is the kind of action we need more of from the FTC in the internet of broken things era. But at the same time this is a drop in the bucket when you consider the mountain of companies -- many outside of the reach of the FTC -- that build internet-connected devices with flimsy to nonexistent security and privacy protections. As security experts like Bruce Schneier have long noted, there's a market failure in the IOT space where neither the manufacturer nor the consumer have any incentive to do or demand better. Especially as it pertains to network-connected devices that aren't clear about what data is being transmitted:

"The market can't fix this because neither the buyer nor the seller cares. The owners of the webcams and DVRs used in the denial-of-service attacks don't care. Their devices were cheap to buy, they still work, and they don't know any of the victims of the attacks. The sellers of those devices don't care: They're now selling newer and better models, and the original buyers only cared about price and features. There is no market solution, because the insecurity is what economists call an externality: It's an effect of the purchasing decision that affects other people. Think of it kind of like invisible pollution."

Fixing the IOT mess will require a cross collaboration between researchers, consumers, academics, governments, and industry. But as Schneier has also noted, the incentive for such collaboration probably won't materialize until after there's a privacy scandal so severe it finally prompts us to collectively give a damn.

Filed Under: ftc, security, smart locks


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    Upstream (profile), 10 Apr 2020 @ 2:08pm

    When it comes to IoT, "Just Say No!"

    And we need to hope that the mentioned severe privacy scandal occurs before a severe death or serious injury scandal.

    reply to this | link to this | view in chronology ]

  • icon
    Norahc (profile), 10 Apr 2020 @ 5:50pm

    The devices connected to the IoT are smart...

    On the other hand, the people making them and relying on them to be secure are blithering idiots.

    Maybe IoT should be changed to Idiots Owning Technology.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 11 Apr 2020 @ 6:16am

      Re:

      I have often wondered just what they are talking about when they advertise their smart products. Defining exactly what the word smart means is difficult at best but then attempting to apply it toward an inanimate object is just silly. Perhaps they want it to be intelligent, like in AI but do not know what that is either so they imly all sort of silly traits that no one is able to verify.

      Oh yeah, and why connect the house door locks to the internet? What benefit is there? Seems there are plenty of items in the down side column and little to nothing in the up side, must be a product in search of a market.

      reply to this | link to this | view in chronology ]

      • icon
        nasch (profile), 13 Apr 2020 @ 8:02am

        Re: Re:

        Oh yeah, and why connect the house door locks to the internet? What benefit is there?

        If you would like to know who is coming and going while you're not home. You want to unexpectedly let someone in the house while you're on vacation. Probably other reasons I'm not thinking of.

        reply to this | link to this | view in chronology ]

  • identicon
    Agammamon, 10 Apr 2020 @ 6:05pm

    the FTC makes it clear the products are clearly exploitable -- either by simply unscrewing the back

    Seriously?

    I mean, if you're unscrewing the back you're already inside . . .

    And its the exact same vulnerability a keyed deadbolt has - get inside, unscrew the facing, remove the deadbolt, open th . . . waitaminit

    reply to this | link to this | view in chronology ]

  • identicon
    anonymous asshat, 10 Apr 2020 @ 10:54pm

    When will these companies learn?

    The real money in IoT tat is the data you slurp. If even the below average scrip kiddie can easily get the company's data then it is no longer the company's proprietary data. Great work destroying your business model IoT tat makers.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 11 Apr 2020 @ 2:28am

    Yep, there are some many things in this world that boil down to poorly manufactured, dangerous cyber crap from china (or india or something).

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 11 Apr 2020 @ 6:20am

      Re:

      China .. India .. it used to be Japan then Korea ...

      Seems it is just the next third world country to be exploited by the corporate outsourcing that has become so popular these days.

      reply to this | link to this | view in chronology ]

  • identicon
    Jamie, 11 Apr 2020 @ 5:21am

    There's a common saying in information security circles:

    The 'S' in 'IoT' stands for 'security'.

    I think that says it all.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 11 Apr 2020 @ 11:07am

    While the buyers of random "smart" doohickeys may indeed have little reason to care if their security-challenged trinkets get used to DDoS someone they don't know on the internet, it seems rather likely most buyers of locks do care if every kid with a smartphone can break into their property.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 12 Apr 2020 @ 10:50am

    I had a couple of these locks given to me by a friend. Physical security was a joke - a rather light hit from a hammer would pop one open. Worse was that this piece of electronics wasn't anywhere near waterproof and one week on an outside gate in the rain was enough to destroy one and make me get bolt cutters out.

    But that's not even the worst part. I like the idea of a fingerprint lock. Biometric security on a lock is convenient. No keys to carry or lose, no codes to forget, and the technology is getting rather robust. But then someone decided that the whole thing had to connect to the Internet to gather personal information instead of leaving it the closed loop device it could have been.

    Oh, and a proprietary power supply, too. smh

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 13 Apr 2020 @ 7:56am

    Just another reason why I won't use IoT devices. I'm a Homekit house which uses encryption. The downside is it's iOS/Apple only, but being so, it's much more secure. I still have NO Smart locks on my house. The closest to that would me my main Garage Door, which is how we leave my hour 99.9% of the time anyway, and that is SMART. There is no Smart Door Lock to access though. I can open it with my voice. Lift up my worst for my Apple Watch and just say "Open Garage" and it'll open up.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Special Affiliate Offer

Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.