(Image: Tapplock)
For the second time this week, smart lock maker Tapplock is under fire over its security.
Security researcher Vangelis Stykas[1] found anyone can obtain sensitive information to locate and open a lock, simply by pulling the information directly from a leaky company's API server.
He demonstrated how to retrieve the lock's last known postal address, and enough data to create an unlock code, which can be used to locate and open any smart lock.
CNET: Best Smart Home Locks for 2018[2]
Stykas' work builds on research published earlier this week[3]. Andrew Tierney found the lock can be easily opened[4] without the owner's fingerprint, because the unlock code is generated from the unique, hard-coded networking address -- known as a MAC address -- that all Bluetooth devices have. Tierney found the lock takes that MAC address and converts it using the MD5 algorithm, an old algorithm that can be easily cracked. But because all Bluetooth devices broadcast their MAC address, a malicious hacker within a close proximity can obtain it, then convert it to an MD5 hash, and unlock the device.
Tapplock said it will fix[5] the security issue in an upcoming app update. Android users are expected to get the app later today, while iOS users have to wait until Apple approves the app.
In a statement Friday, Tapplock confirmed it has pulled the API, which the app relies on to wirelessly open the lock using Bluetooth, given the risk of a data breach.
The lock can still be opened with a user's fingerprint and the backup Morse code feature[6], however, the statement[7] said.
"This patch