FTC The Latest To Discover ‘Smart’ Locks Are Dumb, Easily Compromised

FTC The Latest To Discover 'Smart' Locks Are Dumb, Easily Compromised thumbnail

from the dumb-is-the-new-smart dept

Fri, Apr 10th 2020 1:37pm
Karl Bode

Like most internet of broken things products, we’ve noted how “smart” door locks often aren’t all that smart. More than a few times we’ve written about smart lock consumers getting locked out of their own homes without much recourse. Other times we’ve noted how the devices simply aren’t that secure, with one study finding that 12 of 16 smart locks they tested could be relatively easily hacked thanks to flimsy security standards, something that’s the primary feature of many internet of broken things devices.

This week, the FTC released a complaint (pdf) against Tapplock, the maker of a “smart,” fingerprint reading padlock the company’s website proclaims delivers “99.999% accuracy” while unlocking in “0.8 seconds.” In the complaint and a companion press release, the FTC makes it clear the products are clearly exploitable — either by simply unscrewing the back, or by hacking the device’s bluetooth link between the lock and its companion app. Based on the FTC complaint, the company did the bare minimum to ensure the devices were actually secure:

“We allege that Tapplock promised that its Internet-connected locks were secure, but in fact the company failed to even test if that claim was true,” said Andrew Smith, Director of the FTC’s Bureau of Consumer Protection. “Tech companies should remember the basics—when you promise security, you need to deliver security.”

On top of that, the FTC noted that the company collected a notable amount of data including user location, lock locations, email addresses, and other data the company then failed to (surprise!) secure. In fact, the FTC goes so far to suggest that, like so many IOT companies, Tapplock failed to even have a basic security program to protect product integrity and consumer data:

“Contrary to the statements described in Paragraphs 8-11, Respondent did not take reasonable measures to secure its locks, or take reasonable precautions or follow industry best practices for protecting consumers’ personal information. In fact, Respondent did not have a security program prior to the discovery of the vulnerabilities described…”

Granted this is the kind of action we need more of from the FTC in the internet of broken things era. But at the same time this is a drop in the bucket when you consider the mountain of companies — many outside of the reach of the FTC — that build internet-connected devices with flimsy to nonexistent security and privacy protections. As security experts like Bruce Schneier have long noted, there’s a market failure in the IOT space where neither the manufacturer nor the consumer have any incentive to do or demand better. Especially as it pertains to network-connected devices that aren’t clear about what data is being transmitted:

“The market can’t fix this because neither the buyer nor the seller cares. The owners of the webcams and DVRs used in the denial-of-service attacks don’t care. Their devices were cheap to buy, they still work, and they don’t know any of the victims of the attacks. The sellers of those devices don’t care: They’re now selling newer and better models, and the original buyers only cared about price and features. There is no market solution, because the insecurity is what economists call an externality: It’s an effect of the purchasing decision that affects other people. Think of it kind of like invisible pollution.”

Fixing the IOT mess will require a cross collaboration between researchers, consumers, academics, governments, and industry. But as Schneier has also noted, the incentive for such collaboration probably won’t materialize until after there’s a privacy scandal so severe it finally prompts us to collectively give a damn.

Filed Under: ftc, security, smart locks

Read More