https://www.theregister.co.uk/2018/06/15/taplock_broken_screwdriver/

 

https://www.theregister.co.uk/2018/06/15/taplock_broken_screwdriver/

Yet another fine example of IDIoT*



*Incredibly Dangerous Internet of Things.

 

https://www.theregister.co.uk/2018/06/15/taplock_broken_screwdriver/

Nice video and thanks for the link. If you go to the comments section, you can read about the manufacturers response - interesting. You can read it yourself but it sounds to me like they are saying that the tested unit *should* have had a protrusion into the back panel to prevent rotating the back so easily. Essentially, they are saying that the unit tested was defective and they offered to replace any units found that way. They also said that they did some quality control and did not find any other units "missing" the protrusion. I am not sure what to make of that.

Beyond that, I'm not interested in weighing in on the unit but thought that it was worth a mention. Frankly, I am suspicious of any pad locks with batteries in them and I don't own any.

But, I watched several other videos and I do like that channel. The one where they used a mass spec on youtube "silver" and "gold" buttons was funny. I mean funny because I thought it was silly to think they were either silver or gold and silly because testing specific gravity can be done easily...and would tell you if they were pure solid silver or gold. They tweaked their way into getting into plating techniques and the like and the analyses on that one was pretty cool.

 

Nice video and thanks for the link. If you go to the comments section, you can read about the manufacturers response - interesting. You can read it yourself but it sounds to me like they are saying that the tested unit *should* have had a protrusion into the back panel to prevent rotating the back so easily. Essentially, they are saying that the unit tested was defective and they offered to replace any units found that way. They also said that they did some quality control and did not find any other units "missing" the protrusion. I am not sure what to make of that.

That video was mainly about the mechanical quality issues. More directly to IOT the BLE interface can be cracked in 2 seconds.
https://www.forbes.com/sites/thomas...-smart-lock-hacked-in-2-seconds/#7995baac1333

 

https://nakedsecurity.sophos.com/20...smart-padlock-its-even-worse-than-we-thought/

Sadly, it gets much worse.

Turns out you don’t need to spend two seconds, or even to use an unofficial unlocking app.

Tapplock’s cloud-based administration tools were as vulnerable as the lock, as Greek security researcher Vangelis Stykas found out very rapidly.

Amusingly, Stykas, an independent researcher who has to buy all his own kit for testing, went down the software-only route for simple practical reasons:

I did not have any locks (and I am out of IoT budget for this month as my wife has -kindly- informed me).

Turns out he saved himself $99, and ended up with a faster and even more generic Tapplock-cracking trick than PTP’s “figure out the key by sniffing the MAC address” hack.

Stykas found that once you’d logged into one Tapplock account, you were effectively authenticated to access anyone else’s Tapplock account, as long as you knew their account ID.

 

A classic example of what happens when form does not follow function.

 

That video was mainly about the mechanical quality issues. More directly to IOT the BLE interface can be cracked in 2 seconds.
https://www.forbes.com/sites/thomas...-smart-lock-hacked-in-2-seconds/#7995baac1333

The bolt cutters issue was not particularly surprising, but the software problems (discussed in the link above and in a subsequent link that you posted) is downright embarrassing. How on earth could these issues not have been considered? A "high-tech" lock with "cool" features and nobody's going to bother to look into it???? sheesh

 

A "high-tech" lock with "cool" features and nobody's going to bother to look into it???? sheesh

It really is inexcusable. It's obviously clear in hindsight but I have to think they didn't try hard enough to break their own security, and didn't challenge it enough in beta testing.

I did a little programming of an access control scheme for a couple websites. I spent a long time learning how various exploits work and how others have devised defenses, so that I could at least avoid the most noob mistakes. I'm sure a pro could get past it but at least I didn't leave the door wide open. It looks like these guys barely bothered and focused on the bells and whistles instead.

 

https://www.pentestpartners.com/security-blog/smart-locks-dumb-security/

 

Beyond that, I'm not interested in weighing in on the unit but thought that it was worth a mention. Frankly, I am suspicious of any pad locks with batteries in them and I don't own any.

Neither do I. Being dinosaur in my nature I like the old fashion mechanical combination lock. They really push the electronic locks on new safes and I have no interest in them.

Ron

 

https://www.pentestpartners.com/security-blog/smart-locks-dumb-security/

Something else on that site is this thread https://www.pentestpartners.com/sec...eives-pwnie-award-for-lamest-vendor-response/ about Bitfi. It's an entertaining read, but I think the author makes some robust points in the conclusion (quoted in part below)...

"Don’t make claims that are demonstrably false or impossible to substantiate. Everyone likes a challenge, particularly infosec researchers

If your claims are questioned, engage constructively, try to avoid confrontation. Don’t persist or the coverage will build, and the Streisand effect takes over."

I agree with that sentiment and believe it basically expresses a constructive accountability that should be acknowledged as a great asset for business and customer alike.

 

Neither do I. Being dinosaur in my nature I like the old fashion mechanical combination lock.

What? You don't trust a lock designed by a computer programmer?

 

What? You don't trust a lock designed by a computer programmer?

Nope. I have quite a few things near and dear to me in my safe and I like my old fashioned tumbler quite a bit. The battery will never go dead on me.