A Canadian maker of smart padlocks has agreed to implement a comprehensive security program and not misrepresent its privacy and security practices under an agreement with the U.S. Federal Trade Commission.
Earlier this month, the FTC gave final approval to a settlement with Tapplock Inc. of Toronto, maker of a fingerprint-enabled padlock sold to enterprises and consumers, related to allegations it falsely claimed that its internet-connected smart locks were designed to be “unbreakable” and that it took reasonable steps to secure the data collected through a mobile app.
Security researchers identified both physical and electronic vulnerabilities with Tapplock’s smart locks, according to the complaint. The FTC also alleged that Tapplock failed to implement a security program or take other steps that might have helped the company discover electronic vulnerabilities with its locks.
Under the settlement, Tapplock is required to implement a comprehensive security program and obtain independent biennial assessments of the program by an assessor that the FTC approves. The company also is prohibited from misrepresenting its privacy and security practices.
The two sides came to an agreement on a settlement of the allegations in April. That needed final approval of the commission.
Under the consent order, Tapplock agreed to not transfer, sell, share, collect, maintain, or store personal information or manufacture or sell devices unless it implements a comprehensive security program that protects the security of devices and the security, confidentiality, and integrity of personal information.
According to its website this week, the company sells two models: The Tapplock one+, described as “Sturdy” and “Secure” and stores up to 500 fingerprints per lock; and the Tapplock lite, described as having a “strong, lightweight chassis” and stores up to 100 fingerprints. Bluetooth lets users share remote access.
For organizations that issue and control multiple padlocks, the company offers an enterprise software-based management console allowing an administrator to set custom permissions for users and manage them by groups. Customers listed on the site include Bombardier, Lufthansa and Foxconn.
The FTC’s background complaint document supporting the consent order says that in 2018 “security researchers identified critical physical and electronic vulnerabilities” with Tapplock smart locks. “Some could be opened within a matter of seconds, simply by unscrewing the back panel.”
One alleged vulnerability in the API could have been exploited to bypass the account authentication process in order to gain full access to the accounts of all Tapplock users and their personal information, including usernames, email addresses, profile photos, location history, and precise geolocation of smart locks. Because the company failed to encrypt the Bluetooth communication between the lock and the app, a second vulnerability could have allowed a bad actor to lock and unlock any nearby Tapplock smart lock. Finally, a third vulnerability prevented users from effectively revoking access to their smart lock once they had provided other users access to that lock.
The second count alleges that Tapplock deceived consumers about its data security practices by falsely representing that it took reasonable precautions and followed industry best practices to protect the personal information provided by consumers.
Tapplock neither admitted nor denied any of the allegations in the complaint other than those stated in the final decision and consent order.
UPDATE: In a June 1 interview Tapplock CEO Michael Wang said a lot of the parts and firmware for the company’s first-generation padlocks were outsourced and assembled by a contract manufacturer. One batch had been wrongly assembled with a pin that secured the back was installed upside down. As a result the backs could be twisted open. Padlocks from that batch were among those tested by a researcher, which led to the FTC investigation. “That wasn’t really a design flaw,” he said. In addition there were flaws with the firmware, which Tapplock didn’t control at the time, so those problems couldn’t be fixed “in a timely and systematic way.”
“As soon as the security vulnerabilities happened we stopped production of the generation 1 lock.” Production resumed with the current second-generation improved padlocks.
Asked if having to come to a settlement with the FTC is embarrassing, Wang said, “We really wouldn’t call it that.”
One lesson the company learned is the need to build in manufacturing redundancy so the upside-down problem won’t occur. As part of the settlement the company promised to build in systematic checks to its security processes, he said, a move it had already been making.