ioXt - The Global Standard for IoT Security

View Original

Tapplock’s Lesson for Retailers: Don’t Get Caught Holding the Bag

Hueman Studio

Hack of the Month

Tapplock’s Lesson for Retailers: Don’t Get Caught Holding the Bag 

Recently, the FTC announced a settlement with smart lock manufacturer Tapplock. Back in 2018, the Canadian start-up that raised $320K through Indiegogo and presold 5,000 units hit the market with its cool-looking fingerprint locks. Unfortunately, soon after, its product was found to be seriously flawed.  

First, there was the physical attack problem. One researcher was able to twist off the back of his $99 Tapplock with a GoPro mount to access the guts and spring the lock.  

But second, and perhaps worse for a “smart” product, was the not so smart lack of security built into all Tapplocks. Through Bluetooth, the password to pair the device with user phones was merely a simple hash of the MAC address broadcast by every lock. So, once discovered, someone could literally walk around and open every Tapplock in the marketplace. No authorization code required. Also, once a user gave their Tapplock password to someone else, there was no taking it back. Since user rights couldn’t be revoked, it meant a one-time password share became a forever gift.  

In essence, the “unbreakable” “first smart fingerprint padlock” was breakable, easily hackable—and well, kinda useless.  

The FTC alleged Tapplock deceived consumers in two ways: by claiming its product was designed to be “unbreakable” and by claiming it took reasonable steps to secure user data. In the end, the real winner seemed to be standard padlocks, which generally cost under $10, take heavy-duty bolt cutters to crack and don’t collect or share user data. Tapplock is now “on lockdown” as a manufacturer, being closely watched by the FTC for the next 20 years. It’s not exactly the entrepreneurial dream.  

But what about retailers? Interestingly, for them, the tale of Tapplock may not end with the FTC’s actions. In fact, it could just be the beginning. Because, believe it or not, at the time of this writing, at least two big-box retailers and one online “jungle” are still selling Tapplock locks.   

If you’re a retailer and someone in your supply chain gets “FTC’d” because they didn’t follow industry best practices, when do you think the class-action lawyers will come to your store and sue you?  

Zooming back a bit further, two calmer, thought-provoking questions are: Do you know what’s in your supply chain? And at what point do you hold liability for selling insecure products?  

Newsflash: We live in a litigious society. It can be a hard truth for business. But I’m betting there are more than a few attorneys who are ready to approach companies with Tapplocks on their real or virtual shelves and say, “You’re selling an unsafe product and holding the bag. Time to pay up.”    

This is why retailers need to have a security standard in their channel. And why the ioXt Certification Program is an easy way to get it done.  

The ioXt Certification Program was created by the ioXt Alliance, an organization whose members are from the biggest names in tech and whose purpose is to identify and set security standards that bring security, upgradability and transparency to the market. The Program’s ioXt stamp identifies products that have been certified as secure by ioXt, either through third-party test labs or bonded self-certification.  

Beyond providing a means for manufacturers to assess and rate a product’s security, the ioXt Certification Program reassures retailers, and ultimately consumers, that products bearing the ioXt mark are safe and secure by design. Because the ioXt Certification Program is a living process through which cyber threats are continuously evaluated, it also means manufacturers are informed of weaknesses before they have a chance to impact entire IoT ecosystems.  

With the ioXt stamp, you can see the security ratings of all ioXt-certified products and receive notification if there are any issues in your supply chain before the FTC or any other drama gets a chance to unfold.  

It’s really about having visibility in your supply chain around security. 

And about protecting your business against a takedown by the next great “smart” product that’s less secure than, say, the old school product it’s meant to replace.  

To learn more about the ioXt Certification Program, visit ioXtAlliance.org 

For the detailed analysis of the defects, see the report at Pen Test Partners