The “world’s worst” smart padlock – it’s EVEN WORSE than we thought | Tech News

Chemicloud Web Hosting

Remember last week’s ROTFL story about the $99 digital padlock that could be opened in just two seconds without an angle grinder or a bolt cutter?

Canadian internet of things (IoT) startup Tapplock learned the hard way why you should never knit your own cryptography – unless you’re a proper cryptographer, of course.

UK penetration testing company Pen Test Partners took a glance at Tapplock’s cool-sounding, fingerprint scanner-equipped, Bluetooth-speaking padlock and almost immediately noticed that the “secret” code for each lock could be calculated directly from the lock’s Bluetooth network address.

Because network MAC addresses aren’t meant to be secret – in fact, they’re specifically designed to be broadcast publicly, in order for the network to function – they aren’t, errrrrr, well, they aren’t secrets!

Using your padlock’s public MAC address as your secret padlock access code is like writing the PIN of your bank card on the front in LARGE DIGITS, using an indelible marker pen.

As a result, Pen Test Partners managed to create an “unlock any Tapplock” program that could open any lock in just two seconds, compared to the 0.8 seconds required for the official app to open a specific lock.