FTC The Latest To Discover 'Smart' Locks Are Dumb, Easily Compromised
from the dumb-is-the-new-smart dept
Like most internet of broken things products, we've noted how "smart" door locks often aren't all that smart. More than a few times we've written about smart lock consumers getting locked out of their own homes without much recourse. Other times we've noted how the devices simply aren't that secure, with one study finding that 12 of 16 smart locks they tested could be relatively easily hacked thanks to flimsy security standards, something that's the primary feature of many internet of broken things devices.
This week, the FTC released a complaint (pdf) against Tapplock, the maker of a "smart," fingerprint reading padlock the company's website proclaims delivers "99.999% accuracy" while unlocking in "0.8 seconds." In the complaint and a companion press release, the FTC makes it clear the products are clearly exploitable -- either by simply unscrewing the back, or by hacking the device's bluetooth link between the lock and its companion app. Based on the FTC complaint, the company did the bare minimum to ensure the devices were actually secure:
"We allege that Tapplock promised that its Internet-connected locks were secure, but in fact the company failed to even test if that claim was true,” said Andrew Smith, Director of the FTC’s Bureau of Consumer Protection. “Tech companies should remember the basics—when you promise security, you need to deliver security.”
On top of that, the FTC noted that the company collected a notable amount of data including user location, lock locations, email addresses, and other data the company then failed to (surprise!) secure. In fact, the FTC goes so far to suggest that, like so many IOT companies, Tapplock failed to even have a basic security program to protect product integrity and consumer data:
"Contrary to the statements described in Paragraphs 8-11, Respondent did not take reasonable measures to secure its locks, or take reasonable precautions or follow industry best practices for protecting consumers’ personal information. In fact, Respondent did not have a security program prior to the discovery of the vulnerabilities described..."
Granted this is the kind of action we need more of from the FTC in the internet of broken things era. But at the same time this is a drop in the bucket when you consider the mountain of companies -- many outside of the reach of the FTC -- that build internet-connected devices with flimsy to nonexistent security and privacy protections. As security experts like Bruce Schneier have long noted, there's a market failure in the IOT space where neither the manufacturer nor the consumer have any incentive to do or demand better. Especially as it pertains to network-connected devices that aren't clear about what data is being transmitted:
"The market can't fix this because neither the buyer nor the seller cares. The owners of the webcams and DVRs used in the denial-of-service attacks don't care. Their devices were cheap to buy, they still work, and they don't know any of the victims of the attacks. The sellers of those devices don't care: They're now selling newer and better models, and the original buyers only cared about price and features. There is no market solution, because the insecurity is what economists call an externality: It's an effect of the purchasing decision that affects other people. Think of it kind of like invisible pollution."
Fixing the IOT mess will require a cross collaboration between researchers, consumers, academics, governments, and industry. But as Schneier has also noted, the incentive for such collaboration probably won't materialize until after there's a privacy scandal so severe it finally prompts us to collectively give a damn.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: ftc, security, smart locks
Reader Comments
Subscribe: RSS
View by: Time | Thread
When it comes to IoT, "Just Say No!"
And we need to hope that the mentioned severe privacy scandal occurs before a severe death or serious injury scandal.
[ link to this | view in chronology ]
The devices connected to the IoT are smart...
On the other hand, the people making them and relying on them to be secure are blithering idiots.
Maybe IoT should be changed to Idiots Owning Technology.
[ link to this | view in chronology ]
Re:
I have often wondered just what they are talking about when they advertise their smart products. Defining exactly what the word smart means is difficult at best but then attempting to apply it toward an inanimate object is just silly. Perhaps they want it to be intelligent, like in AI but do not know what that is either so they imly all sort of silly traits that no one is able to verify.
Oh yeah, and why connect the house door locks to the internet? What benefit is there? Seems there are plenty of items in the down side column and little to nothing in the up side, must be a product in search of a market.
[ link to this | view in chronology ]
Re: Re:
If you would like to know who is coming and going while you're not home. You want to unexpectedly let someone in the house while you're on vacation. Probably other reasons I'm not thinking of.
[ link to this | view in chronology ]
Seriously?
I mean, if you're unscrewing the back you're already inside . . .
And its the exact same vulnerability a keyed deadbolt has - get inside, unscrew the facing, remove the deadbolt, open th . . . waitaminit
[ link to this | view in chronology ]
Re:
It's a padlock. Both sides accessible from outside whatever it is trying to lock up.
[ link to this | view in chronology ]
When will these companies learn?
The real money in IoT tat is the data you slurp. If even the below average scrip kiddie can easily get the company's data then it is no longer the company's proprietary data. Great work destroying your business model IoT tat makers.
[ link to this | view in chronology ]
Yep, there are some many things in this world that boil down to poorly manufactured, dangerous cyber crap from china (or india or something).
[ link to this | view in chronology ]
Re:
China .. India .. it used to be Japan then Korea ...
Seems it is just the next third world country to be exploited by the corporate outsourcing that has become so popular these days.
[ link to this | view in chronology ]
Re: Re:
Hey, c'mon, now... we've proven we can build insecure, crappy IoT devices right here in the US. 'Murrica demands its seat at the table!
[ link to this | view in chronology ]
There's a common saying in information security circles:
I think that says it all.
[ link to this | view in chronology ]
While the buyers of random "smart" doohickeys may indeed have little reason to care if their security-challenged trinkets get used to DDoS someone they don't know on the internet, it seems rather likely most buyers of locks do care if every kid with a smartphone can break into their property.
[ link to this | view in chronology ]
I had a couple of these locks given to me by a friend. Physical security was a joke - a rather light hit from a hammer would pop one open. Worse was that this piece of electronics wasn't anywhere near waterproof and one week on an outside gate in the rain was enough to destroy one and make me get bolt cutters out.
But that's not even the worst part. I like the idea of a fingerprint lock. Biometric security on a lock is convenient. No keys to carry or lose, no codes to forget, and the technology is getting rather robust. But then someone decided that the whole thing had to connect to the Internet to gather personal information instead of leaving it the closed loop device it could have been.
Oh, and a proprietary power supply, too. smh
[ link to this | view in chronology ]
Just another reason why I won't use IoT devices. I'm a Homekit house which uses encryption. The downside is it's iOS/Apple only, but being so, it's much more secure. I still have NO Smart locks on my house. The closest to that would me my main Garage Door, which is how we leave my hour 99.9% of the time anyway, and that is SMART. There is no Smart Door Lock to access though. I can open it with my voice. Lift up my worst for my Apple Watch and just say "Open Garage" and it'll open up.
[ link to this | view in chronology ]
Smart Lock
[ link to this | view in chronology ]