Don't buy a TappLock. Right now you may be asking what a TappLock is and why it matters. The TappLock, Developed by Pishon, and crowdfunded on Indiegogo, is a 'smartlock' that can be unlocked by either your fingerprint, or the companion smartphone app, with which you can also share access with friends. This seems like a pretty cool gadget at this point, as long as the battery doesn't run out. Luckily it's rechargeable and lasts 2 years according to the website, which is good. The website also boasts an 'unbreakable design', which is... suspicious. This is apparently due to the alloy it is made from, Zamak 3 Also used in shaving razors and childrens toys.
The issues first appeared when the YouTuber JerryRigEverything pulled one apart with the sticky mount of a GoPro camera. The company since responded and it seems this was a one off faulty device, and others trying this have thankfully failed. Unfortunately this is not the only issue. Another channel shows a security test of the device.
As can be seen from the picture on the right, the size change of the locking mechanism protects from shimming and prying, which you would want in a $100 padlock, unfortunately, it also makes it thin enough to cut with medium-sized bolt-cutters. But this can be done to any padlock, what is the real issue with it?
The shim protection weakens it to bolt-cutters because the latch is too thin
So, the first of the problems before the device itself. The device is "encrypted with 128-bit AES" which is strong, but the app for the phone uses http (in human speak that means the app isn't encrypted at all). This allowed the testers to see a string of random looking data over BLE (Bluetooth Low Energy). The strange part was that it didn't change, no matter who was connecting or how many times they connected, which is abnormal for Bluetooth. By copying this random string, anyone could authenticate to the lock, and therefore unlock it. But this still requires sniffing the handshake from someone else. There is also no way to reset the lock, meaning that that passcode can never change. But why is that? Well, a few minutes later, the testers found the method to pair with the lock. It seems to be a command and two arrays, a "key" and a "serial number". Later it is found that these strings are actually created by hashing the MAC address.
To put this in perspective, any Bluetooth device sends it's MAC address out to surrounding devices. And simply by encoding and sending that you unlock the lock. The attackers recently made an app to open any TappLock device in under 2 seconds, the developers own app takes about a second...
Put simply, it sends you the password you need as soon as you walk near it with a smartphone... In fact, all you would need to get the passcode and unlock it with an android phone is a simple hash generator (a tool for changing text).
In the original testers own words:
Yes. The only thing we need to unlock the lock is to know the BLE MAC address. The BLE MAC address that is broadcast by the lock.