FTC settlement hits biometric padlock maker with security orders for deceptive advertising
The Federal Trade Commission (FTC) has settled an official complaint against biometric padlock developer Tapplock for marketing its product as having “unbreakable” security, which proved inaccurate, as ThreatPost wrote when the complaint was filed.
The lock was first advertised in 2016, after raising some $300,000 on Indiegogo, and then went into manufacturing stage. Two years ago, Tapplock released an upgraded version of the Tapplock one+ biometric padlock. The smart lock is an IoT device that leverages fingerprint biometrics for enhanced security. Users can control it with Bluetooth via an app.
Soon after it was released, the company issued patches for critical security issues identified which made the device easy to hack in less than one hour.
According to the FTC, both the lock and app display “reasonably foreseeable electronic security vulnerabilities that could have been avoided.” As a result, the company marketed the product with deceptive claims.
“Researchers were able to easily discover and replicate how [Tapplock] generated the private keys necessary to lock and unlock user’s smart locks,” reads the FTC complaint [PDF]. This is possible because the Bluetooth communication between the lock and the app is not encrypted.
Tapplock is also accused of not properly securing user data. An alleged privacy bug in the API could give unauthorized access to all the information the mobile app collects, including emails, profile photos and location.
“A researcher who logged in with a valid user credential could…access another user’s account without being re-directed back to the login page, thereby allowing the researcher to circumvent respondent’s authentication procedures altogether,” the complaint reads.
A third vulnerability was found in third-party access. Anyone with temporary access could still exploit it even after access was revoked.
“This vulnerability allowed the researchers to sniff data packets for the information necessary to authenticate their access to the lock,” the FTC explained. “With that information, researchers were able to continue accessing the lock even after their access had been revoked.”
As per the FTC settlement following an investigation of acts and practices, biometric company Tapplock is no longer allowed to make false statements concerning device security and user privacy, it has to immediately roll out a security program and provide security training for its employees, receive biennial third-party assessments and certify compliance every year.
IoT companies have to place security and privacy first to prevent vulnerabilities that allow third parties to bypass authentication or intercept data flow.
The FTC has released a set of recommendations for companies to consider to ensure their internet of things (IoT) products and services are secure. These include a security by design approach which includes vulnerability and penetration testing before official release, appointing an executive responsible for product security and train team members to identify and report vulnerabilities, thinking of authentication when designing a product to prevent device and network compromise, implementing industry know how and best practices, and securing all interfaces for service communication.
The provisions of the consent order are valid for 20 years.
Locks that operate with fingerprint biometrics continue to be developed and launched, meanwhile, as the consumer biometrics market picks up steam.
This post was updated at 1:55pm on April 13 to note the FTC settlement details.