Stories
Slash Boxes
Comments

SoylentNews is people

posted by Fnord666 on Monday April 06 2020, @04:17AM   Printer-friendly
from the not-very-secure dept.

This fingerprint-verified smart lock can be foiled by a magnet:

Tapplock, a company that makes fingerprint-verified locks, has had a rough time with its locks' security. The company's flagship lock, which has been available since 2019, is apparently easy to pop open with a magnet. YouTuber LockPickingLawyer published a video last week showing how he could use a powerful magnet to turn the motor inside the Tapplock One Plus, causing it to open. The entire process takes less than 30 seconds.

The Tapplock One Plus costs $99 and features a fingerprint sensor. It also has built-in Bluetooth, so people can unlock it using an app. In response to the video, Tapplock commented: "Wow! Shout out to LPL for finding this exploit. Working on a fix with magnetic shielding, will be back."

This is a commendable reply, although it doesn't do much for people who already bought the lock. Most companies ignore bug reports or fail to fix the flaw. It at least seems like Tapplock wants to figure out how to prevent this kind of attack.


Original Submission

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
(1)
  • (Score: 2, Insightful) by Anonymous Coward on Monday April 06 2020, @05:05AM (10 children)

    by Anonymous Coward on Monday April 06 2020, @05:05AM (#979574)

    In other words: people discovered LPL exists [which is a good thing].

    • (Score: 2) by FatPhil on Monday April 06 2020, @10:46AM (9 children)

      by FatPhil (863) <pc-soylentNO@SPAMasdf.fi> on Monday April 06 2020, @10:46AM (#979602) Homepage
      Google hasn't:

      13:43 <+FatPhil> =g lpl
      13:43 < systemd> https://www.lpl.com/ - LPL Financial | Investment & Wealth Management Services ...
      13:43 <+FatPhil> =g lpl -wealth
      13:43 < systemd> https://lol.gamepedia.com/LPL/2020_Season/Spring_Season - LPL 2020 Spring - Leaguepedia | League of Legends Esports Wiki
      13:43 <+FatPhil> =g lpl -wealth -league
      13:43 < systemd> https://www.lpl.arizona.edu/ - Lunar and Planetary Laboratory & Department of Planetary ...
      13:43 <+FatPhil> =g lpl -wealth -league -lunar
      13:43 < systemd> https://www.genecards.org/cgi-bin/carddisp.pl?gene=LPL - LPL Gene - GeneCards | LIPL Protein | LIPL Antibody
      13:43 <+FatPhil> =g lpl -wealth -league -lunar -gene
      13:43 < systemd> https://finance.yahoo.com/quote/LPL/ - LG Display Co, Ltd AMERICAN DEP (LPL) Stock Price, Quote ...
      13:44 <+FatPhil> =g lpl -wealth -league -lunar -gene -stock
      13:44 < systemd> https://www.lpl.com/about-Us/social-responsibility/diversity-and-inclusion.html - Diversity & Inclusion at LPL | LPL Financial
      13:44 <+FatPhil> =g lpl -financial -league -lunar -gene -stock
      13:44 < systemd> https://www.ncbi.nlm.nih.gov/pubmed/26934567 - Coding Variation in ANGPTL4, LPL, and SVEP1 and the Risk of ...
      13:44 <+FatPhil> =g lpl -financial -league -lunar -gene -stock -coding
      13:44 < systemd> https://lpl.org/ - Liverpool Public Library: Home
      13:44 <+FatPhil> =g lpl -financial -league -lunar -gene -stock -coding -liverpool
      13:44 < systemd> https://link.springer.com/article/10.1007/BF01783416 - LPL: A mathematical programming language | SpringerLink

      and if google's never heard of it, I'm not sure why you should ASSume anyone else has.
      --
      Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
      • (Score: 4, Informative) by RS3 on Monday April 06 2020, @01:57PM (8 children)

        by RS3 (6367) on Monday April 06 2020, @01:57PM (#979638)

        FTFA, "LPL" = YouTube user "LockPickingLawyer".

        2-minute video of "LPL" opening the lock, and demonstrating unlocking it with a magnet: https://www.youtube.com/watch?v=3N84iZ68cXQ [youtube.com]

        • (Score: 2) by Freeman on Monday April 06 2020, @05:20PM (7 children)

          by Freeman (732) on Monday April 06 2020, @05:20PM (#979704) Journal

          I ran out of upmods, before I got to you, so here's a virtual upmod for you. That was quite informative. Assuming, your YouTube link actually links to what you say. I'm not going to click on it, though.

          --
          Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
          • (Score: 2) by Freeman on Monday April 06 2020, @05:22PM

            by Freeman (732) on Monday April 06 2020, @05:22PM (#979706) Journal

            Nevermind, I am crazy, I had two left!

            --
            Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
          • (Score: 2) by RS3 on Monday April 06 2020, @06:26PM (4 children)

            by RS3 (6367) on Monday April 06 2020, @06:26PM (#979729)

            Thank you for the upmod. I've been on SN for a bit, and I don't think I've ever wasted anyone's time, including my own, posting a bogus link. What's the harm clicking on a youtube link? It's something stupid and you close the tab. I guess I'm missing something. Or perhaps I'm more generally curious than most.

            • (Score: 2) by Freeman on Wednesday April 08 2020, @08:50PM (3 children)

              by Freeman (732) on Wednesday April 08 2020, @08:50PM (#980381) Journal

              YouTube doesn't lend itself to informative links. Thus, I'm not going to click on some random video that I have no idea what it is. While YouTube is "relatively safe", there's plenty of random crazyness on there that I don't want to look at.

              --
              Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
              • (Score: 2) by RS3 on Wednesday April 08 2020, @09:06PM (2 children)

                by RS3 (6367) on Wednesday April 08 2020, @09:06PM (#980383)

                I'm not sure why I'm replying.

                Okay, so YouTube URLs aren't descriptive, but I gave a nice concise description with a nice link that might take all of 10 seconds to see if it's informative.

                And, if you're that worried about videos, I can recommend some browser plugins that prevent videos from playing until you initiate it.

                I would understand your sentiment toward an AC, but I try to be a very positive contributor to SN.

                • (Score: 2) by Freeman on Wednesday April 08 2020, @09:20PM (1 child)

                  by Freeman (732) on Wednesday April 08 2020, @09:20PM (#980391) Journal

                  You're an unknown entity on a site that's all for free speech. Also, I'm not going to track all the users I think I can trust to not post some disturbing content that just so happens to be on YouTube. Better to go to known trusted sites. YouTube is not a known trusted site. The only parts of YouTube I trust to be reasonable are the channels I subscribe to.

                  --
                  Joshua 1:9 "Be strong and of a good courage; be not afraid, neither be thou dismayed: for the Lord thy God is with thee"
                  • (Score: 3, Funny) by RS3 on Thursday April 09 2020, @12:59AM

                    by RS3 (6367) on Thursday April 09 2020, @12:59AM (#980456)

                    For all the time you've spent in this thread, you could've clicked the link.

          • (Score: 2) by FatPhil on Tuesday April 07 2020, @06:50PM

            by FatPhil (863) <pc-soylentNO@SPAMasdf.fi> on Tuesday April 07 2020, @06:50PM (#980040) Homepage
            His link was in TFS already. It was the contraction to "LPL" that wasn't clear.
            --
            Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
  • (Score: 4, Insightful) by Arik on Monday April 06 2020, @06:11AM (8 children)

    by Arik (4543) on Monday April 06 2020, @06:11AM (#979581) Journal
    The manufacturer sent him samples to test, knowing who he was. And it wasn't nearly as easy to open as previous locks of that type he's reviewed.

    So thumbs up to tapplock, sounds like a relatively good company.
    --
    If laughter is the best medicine, who are the best doctors?
    • (Score: 4, Insightful) by ledow on Monday April 06 2020, @08:27AM (1 child)

      by ledow (5567) on Monday April 06 2020, @08:27AM (#979589) Homepage

      No, thumbs-up would have been to do that BEFORE you started mass production and putting them into shops.

      Post-production testing is basically worthless.

      • (Score: 4, Insightful) by Arik on Monday April 06 2020, @09:10AM

        by Arik (4543) on Monday April 06 2020, @09:10AM (#979596) Journal
        That would be better, for sure, but this is still noticeably better than what's passing for 'industry standard' at the moment.
        --
        If laughter is the best medicine, who are the best doctors?
    • (Score: 4, Interesting) by driverless on Monday April 06 2020, @09:05AM (5 children)

      by driverless (4770) on Monday April 06 2020, @09:05AM (#979595)

      And it's not just tapplock, almost every one of these sooper-dooper-high-tech gadget locks ends up having various trivial weaknesses in them that make them far less secure than a good old-fashioned keyed lock. Sure, you can pick a keyed lock one at a time, but once someone's published the whole string of vulns in the sooper-dooper lock any script kiddie can open every single one of them with minimal effort.

      Which is why I'll never put a gadget lock on my house.

      • (Score: 0) by Anonymous Coward on Monday April 06 2020, @04:28PM (1 child)

        by Anonymous Coward on Monday April 06 2020, @04:28PM (#979688)

        > Sure, you can pick a keyed lock one at a time

        Haven't checked recently, but my memory was that picking a Medico was damn hard, the pins slide like normal but also rotate. Maybe that has changed if someone worked out some special tools?

        • (Score: 2) by Arik on Tuesday April 07 2020, @03:40AM

          by Arik (4543) on Tuesday April 07 2020, @03:40AM (#979870) Journal
          This one? https://www.youtube.com/watch?v=4fh6IHCr7uo
          --
          If laughter is the best medicine, who are the best doctors?
      • (Score: 2) by darkfeline on Monday April 06 2020, @08:16PM

        by darkfeline (1030) on Monday April 06 2020, @08:16PM (#979754) Homepage

        > you can pick a keyed lock one at a time

        Like 99.9% of the locks in the US (pin and tumbler) (and fewer, but still a significant proportion in Europe) can be popped by a pick gun or some raking or bumping in less than a second.

        --
        Join the SDF Public Access UNIX System today!
      • (Score: 2) by PartTimeZombie on Monday April 06 2020, @10:27PM (1 child)

        by PartTimeZombie (4827) on Monday April 06 2020, @10:27PM (#979793)

        Here's one that's cheap. [aliexpress.com]

        Like really cheap. You can change the currency at the top of the page to whatever you like.

        I am going to assume something that cheap is just to slow a thief down, rather than stop him.

        • (Score: 2) by driverless on Tuesday April 07 2020, @04:05AM

          by driverless (4770) on Tuesday April 07 2020, @04:05AM (#979881)

          Friend of mine who runs the local lockpicking club said that a cheap crappy Chinese padlock was one of the toughest padlocks (outside of high-security ones) he's ever picked because everything was so sloppily-made that... OK, I don't know the technical details but whatever it was that normally works didn't work very well and he had to spend ages messing around with it. He bought it specifically as a teaching padlock because he thought it'd be a doddle to open but it ended up being a right pain and not suited for teaching at all.

  • (Score: 1, Offtopic) by Runaway1956 on Monday April 06 2020, @08:11AM (15 children)

    by Runaway1956 (2926) Subscriber Badge on Monday April 06 2020, @08:11AM (#979585) Journal

    There is a huge variety of materials that are inherently protected from manipulation by magnets. Wood and paper won't work here, but there is plastic, aluminum, stainless steel, and so much more.

    It is likely that, the lock itself doesn't need to be altered - just make the tumblers and pins from titanium or some such. The material chosen dictates the durability of the lock - cheap aluminum will wear out relatively quickly, titanium will last quite a long while, stainless will last even longer.

    • (Score: 4, Touché) by sjames on Monday April 06 2020, @08:22AM (8 children)

      by sjames (2882) on Monday April 06 2020, @08:22AM (#979588) Journal

      This is one of those times you really need to read (watch) all of the background material. The lock has a motor inside that unlocks it in response to a fingerprint or bluetooth. LPL used a strong magnet to rotate the motor shaft inside the lock to move it to the unlocked position. You can't make that out of non-magnetic material.

      So shielding it is.

      • (Score: 2) by Runaway1956 on Monday April 06 2020, @08:48AM

        by Runaway1956 (2926) Subscriber Badge on Monday April 06 2020, @08:48AM (#979592) Journal

        LOL - now I do feel dumb. I read it, did something else, came back, looked again, and focused on "magnetic shielding", forgetting all about the motor. Yeah, if you can run the motor, however slowly, using remote means, then you control the lock.

      • (Score: 3, Insightful) by Bot on Monday April 06 2020, @11:46AM (6 children)

        by Bot (3902) on Monday April 06 2020, @11:46AM (#979610) Journal

        Why don't you use the strength of the attacker against him? Instead of shielding have an element subsceptible to magnets between the motor and the lock. If you get a magnet nearby the element displaces itself and blocks the mechanism.

        --
        Account abandoned.
        • (Score: 2) by Bot on Monday April 06 2020, @11:48AM (4 children)

          by Bot (3902) on Monday April 06 2020, @11:48AM (#979611) Journal

          It needs to be as simple as a spring attached metal pin which blocks the rotation of the motor.

          --
          Account abandoned.
          • (Score: 2) by RS3 on Monday April 06 2020, @02:02PM (3 children)

            by RS3 (6367) on Monday April 06 2020, @02:02PM (#979640)

            That might be a brilliant idea. It needs testing.

            Your idea (maybe Tapplock would pay you?) plus some "mu-metal" https://en.wikipedia.org/wiki/Mu-metal [wikipedia.org] shielding around the motor might fix the problem.

            Of course a bolt cutter or cutoff wheel won't care...

            • (Score: 2) by DannyB on Monday April 06 2020, @04:48PM (2 children)

              by DannyB (5839) Subscriber Badge on Monday April 06 2020, @04:48PM (#979695) Journal

              That might be a brilliant idea. It needs testing.

              Tapplock seems to do testing after the product ships.

              Maybe the assumption is they can fix it with a software update.

              The device driver team has been tasked to create a patch that makes changing the lightbulb unnecessary.

              --
              People today are educated enough to repeat what they are taught but not to question what they are taught.
              • (Score: 2) by RS3 on Monday April 06 2020, @06:51PM

                by RS3 (6367) on Monday April 06 2020, @06:51PM (#979736)

                Long ago we all became beta testers for everything. 'nuff said.

              • (Score: 3, Interesting) by RS3 on Tuesday April 07 2020, @12:34AM

                by RS3 (6367) on Tuesday April 07 2020, @12:34AM (#979822)

                You gave me another idea. Not sure how the hardware is designed, but if they put sensing on the motor leads, they could sense external magnetic influences, and intentionally drive the motor a little- enough to keep it locked.

                They could also do a coil or a Hall-effect sensor and again, drive the motor toward locked when external magnetic fields come around.

        • (Score: 2) by EETech1 on Tuesday April 07 2020, @05:12AM

          by EETech1 (957) on Tuesday April 07 2020, @05:12AM (#979895)

          Just make the lock body out of steel.
          Then you will be afraid of holding that huge magnet anywhere near it, and you certainly wouldn't be able to swipe it over the lock like he does in the video.

          For reference, here's a 2 inch diameter, 2 inch thick magnet, and it has a pull force of 377.6 pounds.
          https://www.kjmagnetics.com/proddetail.asp?prod=DY0Y0-N52 [kjmagnetics.com]

          There's lots of good info on that site too!
          https://www.kjmagnetics.com/blog.asp [kjmagnetics.com]

    • (Score: 2) by maxwell demon on Monday April 06 2020, @08:27AM (5 children)

      by maxwell demon (1608) on Monday April 06 2020, @08:27AM (#979590) Journal

      There is a huge variety of materials that are inherently protected from manipulation by magnets.

      But motors use magnetic fields to work. And the summary explicitly mentions that the magnet turned the motor.

      Replacing the magnets in the motor by non-magnetic materials would render that motor non-functioning.

      --
      The Tao of math: The numbers you can count are not the real numbers.
      • (Score: 3, Touché) by driverless on Monday April 06 2020, @09:42AM (2 children)

        by driverless (4770) on Monday April 06 2020, @09:42AM (#979599)

        Replacing the magnets in the motor by non-magnetic materials would render that motor non-functioning.

        So it'd make the lock very, very secure. I don't see the problem, you just need to climb in the window instead.

        • (Score: 2) by maxwell demon on Monday April 06 2020, @12:01PM (1 child)

          by maxwell demon (1608) on Monday April 06 2020, @12:01PM (#979612) Journal

          That's not the problem of the lock maker.

          --
          The Tao of math: The numbers you can count are not the real numbers.
          • (Score: 2) by driverless on Monday April 06 2020, @12:15PM

            by driverless (4770) on Monday April 06 2020, @12:15PM (#979614)

            It would even pass a BS 7799 security audit because the window is outside the security perimeter and thus not an auditable object.

      • (Score: 2) by RS3 on Monday April 06 2020, @02:22PM

        by RS3 (6367) on Monday April 06 2020, @02:22PM (#979643)

        You probably know most of this, but for everyone reading:

        Seeing this last evening, my first thought was to make a motor with no iron pole pieces in the armature/rotor. The rotor is the thing that turns in a motor, and in this case drives the mechanism which unlocks the lock's shackle.

        Most small DC motors have an electromagnetic rotor, with "brushes" to get the electric current into the rotor's wire coils, and permanent-magnet stator, aka field.

        The rotor's iron (steel) pole pieces, around which the wire coils are wrapped, are attracted to the force of the external magnet that LPL used to pick the lock.

        Iron is used for pole pieces because it greatly improves magnetic efficiency and motor torque (output force), but it's not necessary. You could make the rotor out of plastic, with copper wire coils, and the plastic would not be attracted to the external lock-picker's magnets. The motor would be weaker, but it might still be good enough in this case.

      • (Score: 2) by RS3 on Monday April 06 2020, @06:55PM

        by RS3 (6367) on Monday April 06 2020, @06:55PM (#979738)

        Replacing the magnets in the motor by non-magnetic materials would render that motor non-functioning.

        I politely disagree. Please see my post lower in this discussion. Basically you can make a motor with just copper coils- no need for iron/steel. My idea is to replace the rotor steel with plastic (or anything physically strong but non-magnetic). Stator (field) can be permanent magnets.

  • (Score: 2) by FatPhil on Monday April 06 2020, @10:55AM (6 children)

    by FatPhil (863) <pc-soylentNO@SPAMasdf.fi> on Monday April 06 2020, @10:55AM (#979603) Homepage
    Looks like you can drill just at the side of the sensor and push the cam out of the way manually?
    OK, that's probably noisier, and is almost certainly tamper-evident, so not as good as this hack, but I'd still be quite confident of working.

    Workaround for this hack - two motors next to each other that have opposite polarities such that both need to move at the same time (otherwise you'd move one, then move the other, just like normal lockpicking).
    --
    Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
    • (Score: 4, Interesting) by Immerman on Monday April 06 2020, @01:31PM (5 children)

      by Immerman (3985) on Monday April 06 2020, @01:31PM (#979631)

      Lockpicking is the art of *discretely* bypassing security. Once you invoke drilling out the lock, *every* lock is vulnerable. Most are also vulnerable to bolt cutters, and all to angle grinders. You can make the case out of hardened steel or something so that the process takes longer or requires special bits, but destructive penetration is generally impossible to stop, you can only slow it down.

      Moreover, if an attacker is willing to be destructive, the lock is quite often the most secure component of the overall security, and it's likely to be far faster and easier to ignore it entirely and attack some other potential entrance. How many big expensive door locks have you seen securing rooms with drywall walls that you could kick your way through in seconds? Or drop ceilings that would let you go over the walls?

      • (Score: 1, Interesting) by Anonymous Coward on Monday April 06 2020, @04:37PM (4 children)

        by Anonymous Coward on Monday April 06 2020, @04:37PM (#979690)

        > ...all to angle grinders.

        Careful with absolutes. I found a turbine blade from a jet engine (surplus) and noticed it had tiny holes in it, I believe for either cooling or boundary layer control. Anyway, I tried to grind it open with my bench grinder to see how the holes were internally routed. The blade started to destroy my grinding wheel, while the blade showed a little polished spot--maybe it was made from a nickel superalloy?

        If I needed a really good padlock (cost no object), I'd have it made out of this material!

        • (Score: 2) by RS3 on Monday April 06 2020, @06:37PM

          by RS3 (6367) on Monday April 06 2020, @06:37PM (#979730)

          I find your post fascinating, but that you post AC is very frustrating. You do understand that there is no way to differentiate one AC from another? Some AC postings are brilliant, some are the worst trolling ever. It'd be nice to know who you are, have some consistency with communication. Don't get it?

          Anyway, if what you're saying is true, I'm intrigued. If you have an "angle grinder" (dumb name- what, it only grinds angles? Sigh...) please try cutting turbine blade with a cutoff wheel. A high-speed pneumatic one would be a similar test.

          When I was a kid I got some various grinding tips with 1/4" shafts. Chucked them in a drill and grinded on things. They would wear down fast, but cause some damage. Then, long story aside, I got a 26K RPM grinder, and radical change- grinding tips stayed intact and things grinded went away. Hmmm. Very interesting. Speed matters, and depends on the materials involved.

        • (Score: 2) by kazzie on Tuesday April 07 2020, @06:33AM (2 children)

          by kazzie (5309) Subscriber Badge on Tuesday April 07 2020, @06:33AM (#979907)

          If you have an "angle grinder" (dumb name- what, it only grinds angles? Sigh...)

          It might also become the weapon of choice in the Battle for Scottish Independence.

          • (Score: 2) by Immerman on Wednesday April 08 2020, @01:56AM (1 child)

            by Immerman (3985) on Wednesday April 08 2020, @01:56AM (#980170)

            I'd recommend an organ grinder myself. Far more frightening.

            • (Score: 2) by kazzie on Wednesday April 08 2020, @05:13AM

              by kazzie (5309) Subscriber Badge on Wednesday April 08 2020, @05:13AM (#980204)

              But then there's the danger of grinding your own organs. If you only want to hurt Anglo-Saxons, well...

  • (Score: 0) by Anonymous Coward on Tuesday April 07 2020, @02:41AM

    by Anonymous Coward on Tuesday April 07 2020, @02:41AM (#979851)

    The company carefully designed a backdoor into the lock, which was found out. So now they will close this backdoor and keep the others open until they too are found out. In the meantime they will change the design, adding more backdoors.

    They learnt this from the jews.

(1)