Screwdriver optional: fingerprint lock broadcasts its unlock code over Bluetooth (and the steel is garbage)

Fingerprint locks are catastrophically awful, part LXVII: the software security on the crowdfunded Tapplock "is basically nonexistent" — the lock broadcasts its own unlock code over Bluetooth, and if you send it back to the lock, it pops open.


It's also seemingly made out of steel tempered with papier mache: Pentest Partners were able to snip through it easily with a 12-inch boltcutter.

It makes that lock that Mark wrote about — described by its manufacturer as "invincible to people who do not have a screwdriver" — look pretty good by comparison!

YouTuber JerryRigEverything proved that he could pull the lock apart using just a sticky GoPro mount, while cybersecurity company PenTest Partners found that the actual code and digital authentication methods for the lock were basically nonexistent. All someone would need to unlock the lock is its Bluetooth Low Energy MAC address, which the lock itself broadcasts. Essentially, the lock doesn't encrypt any of its data, leaving anyone who's looking for it all the information they'd need to gain access to the lock and open it up. PenTest Partners also snapped the lock with a pair of 12-inch bolt cutters. So, really, maybe don't buy a smart lock?


This fingerprint-verified padlock is extremely easy to hack [Ashley Carman/The Verge]


(via /.)