A hi-tech padlock secured with a fingerprint can be opened by anyone with a smartphone, security researchers have found.
On its website, Tapplock is described as the "world's first smart fingerprint padlock".
But researchers said it took just 45 minutes to find a way to unlock any Tapplock.
[...] The "major flaw" in its design is that the unlock key for the device is easily discovered because it is generated from the Bluetooth Low Energy ID that is broadcast by the lock.
Anyone with a smartphone would be able to pick up this key if they scanned for Bluetooth devices when close to a Tapplock.
Using this key in conjunction with commands broadcast by the Tapplock would let attackers successfully open any one they found, said Mr Tierney.
In response, Tapplock said in a statement that it was issuing a software update.
-- submitted from IRC
(Score: 4, Interesting) by Immerman on Friday June 15 2018, @01:53PM (11 children)
I'm still waiting for the day that "smart" padlocks exceed the security of traditional ones.
Seems to me the rule of thumb is that a traditional lock (especially padlocks) needs at least a modicum of personal lockpicking skill to open, while a smart one just needs you to have downloaded the right piece of software. Or bolt-cutters in either case.
I'll stick with the traditional locks, thanks. Heck, the good ones are almost unpickable - and if you're targetted by a thief with enough skill to do so, then you may as well just give up.
(Score: 2) by JoeMerchant on Friday June 15 2018, @01:58PM (9 children)
The bolt cutters will always win. I think a flask of LN2 can speed the process, also.
As for:
shoudn't that be a hype-tech padlock that you can open with a fingerprint, or a replay attack that even garage door openers figured out how to defeat with rolling codes in the 1970s?
🌻🌻 [google.com]
(Score: 4, Informative) by EvilSS on Friday June 15 2018, @02:01PM (7 children)
(Score: 2) by BsAtHome on Friday June 15 2018, @02:33PM (4 children)
They do exist, locks capable of resisting angle grinders.
However, I have never seen a lock resisting a regular tank. Well, a safe's version may require a sizable tank with proper ammunition.
(Score: 2) by Snow on Friday June 15 2018, @03:01PM (2 children)
I'd just throw a rock through your window.
Locks are for honest people.
(Score: 2) by Snow on Friday June 15 2018, @03:02PM
Oh, I didn't realize this was a padlock.
Nevermind, carry on!
(Score: 4, Insightful) by JoeMerchant on Friday June 15 2018, @07:03PM
Any time my wife gets "worried about the security of our door locks" I remind her that we've got 4 giant walls of glass, 2 on either side of 2 doors - it doesn't really matter how good our locks are, or aren't.
🌻🌻 [google.com]
(Score: 1, Touché) by Anonymous Coward on Friday June 15 2018, @04:01PM
Or two tanks, one of oxygen and the other acetylene commanded by a blowtorch.
(Score: 0) by Anonymous Coward on Friday June 15 2018, @05:50PM (1 child)
I was told that a can of aerosol Cheese-Whiz will open most key type locks when sprayed into a keyhole.
(Score: 2) by kazzie on Saturday June 16 2018, @09:24AM
Have the mice also told you that you have several large "keyholes" in your skirting board?
(Score: 2) by FatPhil on Friday June 15 2018, @02:41PM
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 2) by darkfeline on Monday June 18 2018, @06:59AM
The majority of traditional locks are very easy to pick or bypass. "A modicum of personal lockpicking skill" can be acquired with a few hours of free time and basic manual dexterity. Locks are only there to keep honest men honest; real security is much more expensive since you need to keep the whole system in mind (weak chains, windows, door frames, walls, ceiling, floor, the thing you're chaining your bike to, there are many avenues for attack).
There's nothing inherently wrong with smart locks; a well-designed smart lock would be significantly harder to open and much cheaper than an equivalent traditional lock: an open source app that generates a private and public key, copies the public key to the open source lock, the lock is opened by signing a randomly generated token with the private key. Physical locks can always be picked if you're good enough, but no amount of amazing human dexterity is going to help you crack that 4096 bit private key.
Join the SDF Public Access UNIX System today!
(Score: 3, Interesting) by JoeMerchant on Friday June 15 2018, @01:54PM
It's not too computationally intensive for a low power embedded processor to verify an ECDSA signature which could not only thwart replay attacks, but even could prevent obtaining the unlock code with total knowledge of what's in the lock.
Even without ECC, a little thought put into a challenge-response protocol can thwart replay attacks.
🌻🌻 [google.com]
(Score: 5, Informative) by EvilSS on Friday June 15 2018, @01:59PM (8 children)
(Score: 5, Informative) by requerdanos on Friday June 15 2018, @02:12PM
In response, an unnamed source said in a statement that they knew that the lock was good only for separating IOT worshippers from their money, and certainly served no security purpose, but not to worry, that the mfr. was "issuing a software update" as if that were somehow relevant.
(Score: 2) by FatPhil on Friday June 15 2018, @02:49PM (3 children)
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 2) by EvilSS on Friday June 15 2018, @03:02PM (1 child)
(Score: 2) by FatPhil on Friday June 15 2018, @03:18PM
Or even denature EPROMS?
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 2, Funny) by anubi on Saturday June 16 2018, @08:14AM
There is this story flying around that a city near to me held a "sawdust festival", and the local brick-and-mortar merchants all got together to "work with" the city to ban all the cart vendors from the street, and succeeded in getting the city politicos to craft ordinances banning the street carts from vending food, drink, and souvenirs.
I understand the entire group of store merchants discovered the morning of the festival that someone had come by in the middle of the night and shot every front door lock full of super glue.
And the cart vendors showed up anyway.
Ten thousand people, and the stores could not open their front door.
They had locksmiths coming in from all over Southern California, but by the time they got there, the festival was already well underway.
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
(Score: 4, Informative) by JoeMerchant on Friday June 15 2018, @02:55PM (2 children)
Back in the 1980s, I bought a "magic magnet key" padlock, for about $8 - which, considering I was making $3.35/hr at the time was probably more expensive than this hype-tech lock would be for me today. That padlock still works - they keys are made with a combination of I think 4 magnets in random polarizations (not a lot of combinations, but not a lot of people bought those locks, either). Magnets haven't depolarized, keys still work to open it, and it's solid as any other padlock you'll see, much more solid than the dial ones they sell for $8 today. Mine has a round face with a round faced key pad in the middle of it, I don't see any similar ones on Google Images, though there are new magnetic key locks out there.
🌻🌻 [google.com]
(Score: 2) by FakeBeldin on Sunday June 17 2018, @05:53PM (1 child)
Couldn't resist.
At $3.35/hr, you would have had to work (almost) 2.4hrs, that is about 2 hours and 24 minutes.
This lock was originally going for $99. You'd have to be taking home $41.25/hr for that. That's $330/day, or $1650/wk, or $6600/4wks. Or, if you get paid for 52 weeks a year: $85,800/yr. That's *well* above the US's median salary for September 2017 ($59,039).
Conclusion: maybe it's cheaper for you than that old lock, but likely not by much.
(Score: 2) by JoeMerchant on Monday June 18 2018, @01:20AM
Well, there's some sliding scale on that - back in the 80s I had a shit job making minimum wage, whereas today I have an education and 25+ years experience, so I've moved up the scale a bit, even beyond "median." OTOH, I'm sole income provider for 4 people, so the money doesn't go as far as it used to, either...
🌻🌻 [google.com]
(Score: 3, Insightful) by SomeGuy on Friday June 15 2018, @02:11PM (5 children)
"smart" and "fingerprint padlock" do not belong together.
I prefer not to have my appendages become a target for thieves.
What is so horribly wrong with a mechanical key or, if it has to be electric, a key card?
Right, fingerprints have more electrolytes. It's what blockchain AI craves.
Hmm, the picture shows a green LED. That can't be right. Only ooolld stuff has green or red LEDs. It must alternate with a burn-out-your-eye-socket-so-you-can't-use-retina-authentication blue LEDs.
(Score: 2) by JoeMerchant on Friday June 15 2018, @02:58PM (3 children)
I will say: I find Android Pay to be very convenient, and it even feels a little more secure than credit cards because you need my fingerprint or swipe code to make it work, unlike "smart chip" credit cards which most stores (not WalMart, hmmm....) will accept with no ID check. I suppose we could configure the CC to e-mail us every time we make a charge, but my wife seems to check the statement nightly so e-mails would be a little redundant.
🌻🌻 [google.com]
(Score: 1) by anubi on Saturday June 16 2018, @08:27AM (2 children)
I am still a bit old-fashioned and leery of electronic-pay kind of things, as its all to easy for me to do something that others may deliberately make hard for me to reverse.
Many business transactions are like going through a door, only to find it locked behind me. All sales final. No refunds. That kind of thing. Those business phrases remind me to be very careful before tendering any cash.
I could be easily fooled by things like button placement, designs, fine print, and colors, to invoke "buy now" functions when I intended to close the page. I still like the tangible action of opening up my wallet and tendering cash, or deliberately writing out and signing a paper cheque. These are things I do not do by accident.
I am extremely uncomfortable with "one click ordering", where I know some rogue javascript could easily order a bunch of crap for me behind my back, and leave ME with the aggravation of having to deal with it.
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
(Score: 2) by JoeMerchant on Saturday June 16 2018, @11:49AM (1 child)
Me too. However, when my kids order a bunch of stuff with their (supposedly locked out) Kindle, Amazon has always very graciously refunded all the purchases - for the mere price of 5 minutes of chatting with them - all in all a good trade for what the kids get out of the Kindle when they are not ordering stuff on it.
I have also had good luck reversing CC charges which have appeared on my bill fraudulently, including stuff like Legos ordered to another address - the fact that the goods are shipped to a strange address seems to be enough to do the trick. These cost more - maybe 20 minutes on the phone, but they're the price of having a CC account and all the convenience it brings. Both the fraud and the kids only come up once every couple of years, so all in all it's not a big load.
As for Android Pay, it feels pretty hard to do that one by accident - it's NFC, it only works when my phone is unlocked, it BING's me when it happens, pops a notice on the screen and sends an e-mail, and then it goes through the CC which has already established a level of comfort for me.
I know people who have had their identity stolen multiple times, and it is clearly a living hell (though I wonder about some of them whether they might be letting their identity get stolen in an attempt to get out of some charges of their own...) I wonder, though, if it is any worse than being robbed at gunpoint for the cash you would carry if you didn't use CCs?
🌻🌻 [google.com]
(Score: 1) by anubi on Saturday June 16 2018, @12:27PM
Thanks for your vote of confidence on the Android.
I am on the Android system... and I am afraid of the Google Play Store. I don't want to share my CC information with Google if I can help it. I am afraid of accidentally ordering stuff while I am researching whether or not I want to get something. If no-one has my name or billing credentials, I feel pretty safe to look around. If I get some phish mail in my inbox thanking me for some order, click on the link for details, I know it has to be bogus. And even if I do, I don't have personal info in my phone. I guess my phone number is the only thing in that phone that will tie it into me. And no financial info of mine is in that thing. Nothing in there one could not get from any other public source. Its just a phone, a bunch of EAGLE data file backups ( via FTP server app ), and a bunch of offline maps and offline GPS geolocation stuff. I like to go off in the middle of nowhere now and then, but really like knowing the GPS will tell me where I am, without connecting to cell towers or the internet.
I was so scared of how easy it was to order on Amazon until I discovered I was able to go in and edit my CC number to bogus crap. I just remember to go back to my Amazon account and correct it before I order, place my order, let it go through, then botch it back up again... just to make sure that if anyone gets access to my machine, they don't also get access to a shopping spree at my expense. AliExpress keeps offering to keep my CC number, but so far, they have let me deny them to keep it on their server. The fact I have to deliberately enter the number each time gives me assurance that placing orders on my account is not as trivial as just clicking on it.
I much prefer to keep my financial credentials off other people's machines as much as possible. It was bad enough Equifax got careless and spilled the beans.
Admittedly, Amazon has been very gracious in making things right with me, albeit sometimes their merchants have pulled a fast one on me now and then. You know, show one thing, and ship something similar, but inferior, and once in a blue moon, I receive something that was just plain defective and someone's QC should have caught it before it got to me.
I try to play right by Amazon, as I do appreciate their business model of backing up their sellers and "doing the dirty work" for me if things go sour, and will not abuse that, as I know returns are terribly expensive and time consuming for all involved. I do my best to make damn sure that's what I want before I order it, and also do my best to keep fraud at bay, which means if I believe my system is insecure ( which I do, others have access to it when I am not around ), I will do every trick I know to make things hard to screw up.
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
(Score: 2) by cmdrklarg on Friday June 15 2018, @08:41PM
Speaking as a somewhat colorblind guy who has trouble distinguishing between green and red LEDs, yes I'd rather see a blue LED. YMMV
The world is full of kings and queens who blind your eyes and steal your dreams.
(Score: 4, Insightful) by Arik on Friday June 15 2018, @02:28PM (1 child)
If laughter is the best medicine, who are the best doctors?
(Score: 4, Funny) by BsAtHome on Friday June 15 2018, @02:35PM
"Smart" refers to the ability of the seller to get money out of the customer's pockets.
(Score: 2, Informative) by Anonymous Coward on Friday June 15 2018, @02:52PM (4 children)
https://www.bbc.com/news/av/technology-42634501/ces-2018-ikeyp-smart-safe-proves-easy-to-crack-open [bbc.com]
(I love the british)
(Score: 2) by FatPhil on Friday June 15 2018, @03:04PM (3 children)
(And don't say you love the Brits, some of us are complete Cnuts.)
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 5, Informative) by sjames on Friday June 15 2018, @05:24PM (2 children)
Quick summary, guy thumps the top of the "safe" with his fist and the "locked" door pops open.
(Score: 2) by FatPhil on Friday June 15 2018, @05:49PM (1 child)
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 2) by janrinok on Friday June 15 2018, @06:03PM
(Score: 4, Funny) by FatPhil on Friday June 15 2018, @02:58PM (9 children)
Perhaps they've increased the "functionality" of this lock (a thing that should be hard to open) by making it have more ways to become open. Because clearly that's what locks need - more ways to become open, the more the better. What's next? Farce recognition?
But as the first poster implied. The fact that it was "smart" was a sure sign that it would be motherhumpingly stupid.
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 3, Informative) by requerdanos on Friday June 15 2018, @03:12PM (8 children)
According to Cnet [cnet.com], it's so there can be an app for that.
Of course, this IOT feature also provides the ability for any random person to open the lock with techniques from TFA, so that's more features right there.
(Score: 4, Funny) by FatPhil on Friday June 15 2018, @03:31PM (7 children)
Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
(Score: 2) by JoeMerchant on Friday June 15 2018, @07:09PM (6 children)
Personally, I can see a very nice door lock application for bluetooth: put one of these [sdcsecurity.com] on the door and hook up a little bluetooth receiving embedded processor that will let you in if your app knows how to do the secret handshake. Could be used on holiday rentals and all kinds of other places - just e-mail the code to the authorized user and they can use the door like a normal door, when their authorized phone is in range. When their access expires, that's it.
So much better than the combination padlocks I've dealt with at various rental places, where you rent again 3 years later and the 4 digit padlock code is still the same.
🌻🌻 [google.com]
(Score: 2, Interesting) by anubi on Saturday June 16 2018, @08:33AM (5 children)
I have a neighbor whose garage door is driving her nuts... every once in a blue moon, it opens all by itself in the middle of the night.
Its only happened once, but she flat does not trust it anymore... and faithfully unplugs it every night.
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
(Score: 3, Interesting) by JoeMerchant on Saturday June 16 2018, @11:54AM (4 children)
So, the state of the art Genie rolling code schemes still aren't all that great on security in the big picture.
With 256 bit ECDSA, a brute force hack would take longer than your house will be standing, probably longer than the Earth will be inhabitable (though if the attacker has a quantum computer it can be done much faster....)
Still, like any mechanism it can have unintended faults - a short in the indoor opener button wire will do that. I've heard stories of conductive spiders that walk across electrical circuits and randomly complete contacts...
🌻🌻 [google.com]
(Score: 1) by anubi on Saturday June 16 2018, @12:53PM (3 children)
I have no idea how it got open... I went by her house early one morning, and it was open... when I asked her about it later in the day, she was quite upset about it.
When I was designing some interface stuff for industry much earlier in my career, one of the things my mentor drilled into me was noise on a compromised I/O port, and be very careful of qualifying all inputs, especially anything critical. Well, you know, that million monkeys for a million years typing out the Constitution, or something like that... you never know just what that noise may be interpreted as.
When it comes to low-power CMOS, it does not take much to flip a logic state. I could certainly see a spider or a little dew+dust causing big problems.
Even to this day, my TV remote occasionally does odd stuff... change the volume and it changes channels instead....that sorta thing.
But then, that TV remote is a simple bit pattern, no rolling code security at all. Mangle just one bit, and you get another function.
Doesn't happen often, and if it does, its harmless.
For all I know, she may have even forgot to close it the night before. But I do have it in my earlier experiences with garage door openers that at one time they were a favorite target of pranksters, who spoofed them kinda like I used to spoof an old TV remote by jingling a ring of keys in the vicinity if the TV.
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
(Score: 3, Interesting) by JoeMerchant on Saturday June 16 2018, @02:08PM (2 children)
First place I worked used a "fancy" 8 bit checksum on their RS232 command input, all confident in how hashed up it was and optimally error resistant... whatever. Our first customer hooked up 250' cables to the 232 input ports (against our max 50' labeling) routed them through the ceiling with a bunch of noise sources, and then the devices started reprogramming themselves within a couple of hours of being connected to the noisy cable - after a couple of days just about every setting on the device would be messed up. There's no beating the infinite number of monkeys with an 8 bit checksum.
Next place I worked was much more serious: implantable neurostimulators, and on the first day of the job what did I discover? The programmer, which was capable of programming the device to deliver up to 4x the current approved for use in humans - potentially stopping the patient's heart, used (I'm disappointed if you haven't guessed already) an 8 bit checksum. Concerned that this might be some kind of competency / courage to speak up test, I spoke up and was directed to the "expert witness" engineer who did a calculation "proving" so many millions of years between erroneous programming events yadda yadda yadda. I told him, politely, "I don't believe your calculations." and let it drop - first day on the job, just moved over 1000 miles to be there, wife 8 months pregnant, etc. Less than 2 years later he, I, and the lead engineer on the programmer software were called into a room to investigate reports of erroneous programming events, painful stimulation, and an unconnected disappearance of a patient while surfing the day after one of these reports... seems that the checksum for maximum stimulation, and the programming code for it as well, is identical to a common setting but with the last 11 bits all set to 0 instead (this thing programmed at about 50 baud...), so... start a normal programming transmission and pull away the wand at the right moment and your patient will (thankfully immediately) begin to scream OW OW OW OW!!!! while they get maximum stim. Cool heads prevailed and reprogrammed the device to normal settings in all cases, nobody's heart stopped (that we are aware of), and we rolled an update to the programmer software that changed the sequence to make that scenario not happen anymore, but... at least the next generation device (not released for another 2 years with ~15,000 patients being implanted per year) upped the checksum from 8 bits to 16... I pitched the argument that 32 bits absolutely kills the security question, but was overruled by a battery life zealot who did a calculation showing that 32 bit checksums would reduce the implant life from 7 years to 6 years 11 months, and 7 years was our target...
🌻🌻 [google.com]
(Score: 1) by anubi on Sunday June 17 2018, @10:16AM (1 child)
Thanks, Joe... I found that very interesting.
Very few people have the experience to post such a thing, or are even aware of stuff like this.
It probably would not surprise you if I told you one of the first things I do with "high reliability" power supplies is go get some jumper wires and a file. I connect one jumper to the file, and rub the other up and down the file, while its connected to the power supply output. A winding to a small power transformer in series with the circuit increases the severity of the test significantly, but you gotta be careful as the inductive kickback will send you sailing if you touch the setup while testing. I've ruined more power supplies that way. But best do it in my office in front of the sales rep than have it happen in the field. ( I'm referring to those little power supplies that are intended for powering field microprocessors. ).
If I did not do this, mother nature will. This was in a oil refinery in Mississippi. We had lots of thunderstorms and lightning. In the middle of a thunderstorm is a really bad time for our stuff to fail.
I will also do that to I/O ports. Another thing I will do is hit 'em with piezoelectric barbeque starters. The ESD protection is supposed to protect against things like that. You never know when you connect to a long piece of wire just what pin makes connection first, anyway.
And I would just watch as the sales rep grimaced, and my mentor smiled.
Incidentally, Lambda, you made some damned good power supplies!
"Prove all things; hold fast that which is good." [KJV: I Thessalonians 5:21]
(Score: 2) by JoeMerchant on Sunday June 17 2018, @01:31PM
Thank you. Over the years I've noticed A) that the ESD "standard" tests don't seem to hit devices with nearly as much energy as I can generate in a finger while wearing wool pants on a dry day (in Florida, no less) and B) ever so slowly, little by little, the standards are increasing their requirements. Nonetheless, it seems that failing ESD testing is one of the most common development experiences - people think they've got it handled then something changes and they start failing again. It's a hard test to pass - lots of tradeoffs when trying to pass high frequency signals through the port, or in the case of the neurostimulators - efficiently deliver nice sharp low energy pulses.
In the early 1980s we had a cable box on top of our TV - when lightning would strike off in the distance we'd get sparks arcing between the box and TV - bad grounds, not to code, I'm sure, but that didn't change the fact of it happening.
🌻🌻 [google.com]
(Score: 3, Insightful) by Anonymous Coward on Friday June 15 2018, @03:49PM
Physical features are not passwords, they are logins.
(Score: 2) by maxwell demon on Friday June 15 2018, @09:51PM (1 child)
So I need a smart fingerprint to open it?
The Tao of math: The numbers you can count are not the real numbers.
(Score: 2) by kazzie on Saturday June 16 2018, @09:32AM
Yes. Jeans and sneakers are not permitted on your fingerprint. Neckties are optional.