tapplock thoughts anyone?

[ViennaMike]

Anyone seen this Tapplock? https://tapplock.com/ Any thoughts on it's security?

[kwoswalt99-]

Wouldn't hold up well against destructive attacks. I have no idea whether or not it could be hacked or shimmed or whatnot.

[Jacob Morgan]

Claims to be shim resistant, but the website says that the body is made of Zamak, i.e., pot metal. A cheap die casting is not a good sign.

Would also be concerned about batteries going dead without knowing about it, how does one then get into it? It appears to have an internal rechargeable battery.

A few years ago the place I worked at went to thumbprint scanners for the workers to clock in and out. For everyones' thumb to work the sensitivity had to be turned down. There were some people whose thumbs just would not scan reliably with the number of points of identification turned up. So, the scanners had to have the points of identification turned down. And that resulted in "cross keying" amongst some thumbs.

Also, several years ago there was an episode on Mythbusters about fingerprint scanners and such where they made fake fingerprints. Assuming that the points of identification, or whatever they are called, are turned down so it will work with the most people, how long will it be before people will start selling kits of fake finger prints? Sort of like a set of try out keys. Not a case of trying to copy a fingerprint, but instead trying out 50 different fake finger prints and get in some percent of the time.

[Moses057]

In my opinion electronic locks are more convenient than they are secure. If the locking pawl is spring loaded it's definitely shimable or even a kinetic attack would work. If the tiny motor inside moves the pawl both ways then shimming and a kinetic attack wouldn't work. If that's the case you could use a large magnet to induce a voltage in the motor and trun it.
Here's a pic of the tapplock from their video

It doesn't matter how great the krypto is or how complicated the electronics are, there is usually a bypass vulnerability some where.

[gumptrick]

I'm agreeing with everything that has been posted so far. The body is mechanically weak, both by design (shape) and the crummy potmetal material. The shackle looks fairly thin and has an awful lot of exposed area on it. This lock looks very easy to defeat by any mechanical means (prying, twisting, hammer, bolt cutters, etc.)

Looking at the pic posted by Moses057 I think that this lock might be shimmable. The piece that locks into the shackle appears to be a smaller, hinged, sub-part of the main locking lever. If that's true then this lock could be shimmed.

I also share the concerns about defeating the fingerprint scanner. Given what the rest of the lock looks like this is clearly not a high security design. I am sure that the tolerances on that scanner are very loose.

I would also be concerned about long-term reliability. What happens if the battery goes dead? Can the flimsy-looking design actually hold up to the elements and normal wear and tear? How long until the sensor (or some other part) fails?

It also seems impractical. Suppose I have something locked up with that thing and a trusted individual (friend of mine, etc.) needs to get into it. With a combination or key lock I can simply tell him the combo or share a key. With this thing the only possible option (assuming it is even supported) would be for the owner to program it for an additional user. That requires the owner to be present.

I think this is a classic case of designing a product simply because it's "cool new tech" but there seems to be very little focus on actual practicality.

[Jacob Morgan]

Also, this would not be very vandal-resistant. A person could probably pick up just anything hard and damage the thumb-print screen. A piece of gravel, for example, forced against it. Normal padlocks can be vandalized, but usually only if the vandal comes prepared. That would limit where these locks could really be used.

[mungeous]

Also, this would not be very vandal-resistant. A person could probably pick up just anything hard and damage the thumb-print screen. A piece of gravel, for example, forced against it. Normal padlocks can be vandalized, but usually only if the vandal comes prepared. That would limit where these locks could really be used.

Classic denial of service attack.

[Moses057]

This is the same vid from the tapplock indiegogo webpage
https://www.indiegogo.com/projects/tapp ... s-travel#/

[gumptrick]

I have to do a double-take every time I see a picture of this lock. The shackle is so thin yet absolutely massive otherwise. You could practically drive a bus through it. What were the designers thinking? Were they trying to make it as easy as possible to stick an random object in there to pry or twist the lock off?

[Jacob Morgan]

Here is an interesting article on what are basically fingerprint try out keys (called masterprints in the article). The first part of the article is boring, but it picks up about half-way through.

https://www.cnbc.com/2017/05/19/new-hacking-threats-fingerprint-vulnerabilities-and-sophisticated-ransomware.html

An excerpt:

Researchers for New York University's (N.Y.U.) Tandon School of Engineering discovered masterprints, digitally altered fingerprints that could match many people's fingers. "If I have this glove or fake hand with these master prints on it then I can unlock say 25, 30, 40 percent of phones," Professor Nasir Memon of N.Y.U. Tandon said.

That would go for these padlocks as well.

[Ralph_Goodman]

I have to do a double-take every time I see a picture of this lock. The shackle is so thin yet absolutely massive otherwise. You could practically drive a bus through it. What were the designers thinking? Were they trying to make it as easy as possible to stick an random object in there to pry or twist the lock off?

Very true. All I can assume is that it was made to have a better design aesthetic. Trying to keep it "sleek and slender", rather than go the full Ingersoll 10 lever metal brick look.

None of these tech companies ever seem to consider the security end of locks... but then again, neither does their target demographic.

[gumptrick]

... but then again, neither does their target demographic.

Very good point there. Their target market seems to be people who think the idea is cool, i.e. "techies". The main focus is certainly not security.

[peterwn]

Anyone seen this Tapplock? https://tapplock.com/ Any thoughts on it's security?

It gets worse and worse. See this article from the UK 'The Register' IT e-magazine:
https://www.theregister.co.uk/2018/06/1 ... er/?page=1

Not only is the software vulnerable to hacking, but the back can be unscrewed then a few screws removed enabling the shackle to be popped open.

Weep!

[jwrm22]

Anyone seen this Tapplock? https://tapplock.com/ Any thoughts on it's security?

It gets worse and worse. See this article from the UK 'The Register' IT e-magazine:
https://www.theregister.co.uk/2018/06/1 ... er/?page=1

Not only is the software vulnerable to hacking, but the back can be unscrewed then a few screws removed enabling the shackle to be popped open.

Weep!

This 'attack' is not guaranteed and is just a quality control issue.
Likely they had a day without the part and said: No-one is going to notice, right?

The last I've heard from it:
The electronic key stays the same and the rights management is all in the app. Bypass it and you'll have access forever.
The 'master code' was derived from the devices MAC address so not very smart. This is likely been fixed.

Even if these locks would be 100% electronically safe.
Then it's still an answer to a problem that does not exist.
Further more all electronics you add will make the hardware weaker.

Disclosure:I'm an electronics guy.