Yet another fine example of IDIoT*
Nice video and thanks for the link. If you go to the comments section, you can read about the manufacturers response - interesting. You can read it yourself but it sounds to me like they are saying that the tested unit *should* have had a protrusion into the back panel to prevent rotating the back so easily. Essentially, they are saying that the unit tested was defective and they offered to replace any units found that way. They also said that they did some quality control and did not find any other units "missing" the protrusion. I am not sure what to make of that.
That video was mainly about the mechanical quality issues. More directly to IOT the BLE interface can be cracked in 2 seconds.Nice video and thanks for the link. If you go to the comments section, you can read about the manufacturers response - interesting. You can read it yourself but it sounds to me like they are saying that the tested unit *should* have had a protrusion into the back panel to prevent rotating the back so easily. Essentially, they are saying that the unit tested was defective and they offered to replace any units found that way. They also said that they did some quality control and did not find any other units "missing" the protrusion. I am not sure what to make of that.
Sadly, it gets much worse.
Turns out you don’t need to spend two seconds, or even to use an unofficial unlocking app.
Tapplock’s cloud-based administration tools were as vulnerable as the lock, as Greek security researcher Vangelis Stykas found out very rapidly.
Amusingly, Stykas, an independent researcher who has to buy all his own kit for testing, went down the software-only route for simple practical reasons:
I did not have any locks (and I am out of IoT budget for this month as my wife has -kindly- informed me).
Turns out he saved himself $99, and ended up with a faster and even more generic Tapplock-cracking trick than PTP’s “figure out the key by sniffing the MAC address” hack.
Stykas found that once you’d logged into one Tapplock account, you were effectively authenticated to access anyone else’s Tapplock account, as long as you knew their account ID.
The bolt cutters issue was not particularly surprising, but the software problems (discussed in the link above and in a subsequent link that you posted) is downright embarrassing. How on earth could these issues not have been considered? A "high-tech" lock with "cool" features and nobody's going to bother to look into it???? sheeshThat video was mainly about the mechanical quality issues. More directly to IOT the BLE interface can be cracked in 2 seconds.
https://www.forbes.com/sites/thomas...-smart-lock-hacked-in-2-seconds/#7995baac1333
It really is inexcusable. It's obviously clear in hindsight but I have to think they didn't try hard enough to break their own security, and didn't challenge it enough in beta testing.A "high-tech" lock with "cool" features and nobody's going to bother to look into it???? sheesh
Neither do I. Being dinosaur in my nature I like the old fashion mechanical combination lock. They really push the electronic locks on new safes and I have no interest in them.Beyond that, I'm not interested in weighing in on the unit but thought that it was worth a mention. Frankly, I am suspicious of any pad locks with batteries in them and I don't own any.
Something else on that site is this thread https://www.pentestpartners.com/sec...eives-pwnie-award-for-lamest-vendor-response/ about Bitfi. It's an entertaining read, but I think the author makes some robust points in the conclusion (quoted in part below)...
What? You don't trust a lock designed by a computer programmer?Neither do I. Being dinosaur in my nature I like the old fashion mechanical combination lock.
Nope. I have quite a few things near and dear to me in my safe and I like my old fashioned tumbler quite a bit. The battery will never go dead on me.What? You don't trust a lock designed by a computer programmer?
by Jeff Child
by Duane Benson
by Jake Hertz