A few weeks ago, a person named JerryRigEverything on Youtube uploaded a disassembly video of the Tapplock Smart Bluetooth Fingerprint Padlock. The video shows that the Tapplock back cover can be removed by fixing the adhesive base with a GoPro camera, and then using a screwdriver to easily open the Tapplock lock.
It’s a bit incredible. This video aroused my curiosity about the security of Tapplock smart padlock. This smart padlock has fingerprint recognition, mobile phone Bluetooth and Morse code unlocking. It is convenient and How safe is it? From this, I conducted some research on Tapplock, and finally I achieved the unlocking of Tapplock within 2 seconds.
Tapplock smart padlock is made of hardened steel and durable die-cast Zamak-3 zinc alloy. 
Zamak-3 zinc alloy is often used in die-cast products such as children's toys, door handles, men's razors, etc. Strictly speaking, this metal material is not very strong and can melt and deform below 400°C. For strong locks Overall, this is not a good material choice. Zamak-3 makes it easy to make some fine castings that look exquisite and feel solid, and they just look safe and solid.
Tapplock smart padlock uses the AES 128-bit encryption algorithm, and the encryption strength is very high. 
This encryption strength is equivalent to military grade, but for IoT hackers, this symmetric encryption still has some shortcomings, especially in the Tapplock instructions here, there is no key at all. Provisions for pairing, exchanging, and sharing, and even basic authentication are not included in the security instructions. Therefore, in application scenarios like this, AES-128 encryption still has shortcomings.
In addition, there are many controversies about the security of Tapplock padlocks. For example, "the unbreakable Tapplock is not that safe and reliable". The article lists many security tests on Tapplock software and hardware, and finally found that Tapplock is not Not so safe.
Tapplock officially claims that its padlocks are "very powerful", but in fact, they are probably incomparable to Abloy Protec door locks. Tapplock officials also claim that their padlock is "nearly unbreakable," but it was eventually broken with a 4-inch bolt cutter. It seems that everything is a marketing ploy to boast.
The above various security tests have also aroused my curiosity, so buy a Tapplock smart padlock to actually test it. The price is 80 euros, and it lasts 14 hours. After that, a Tapplock smart padlock was delivered to my home. First, I adhered the Tapplock back cover using a GoPro camera adhesive mount, following JerryRigEverything's method.
After 30 minutes of full adhesion, I pulled the adhesive base hard, but unfortunately I couldn't get the Tapplock back cover open. It turns out that there is a spring tip inside the back cover that extends to the top of the back cover, which is specially designed to prevent the back cover from loosening or rotating. It's possible that this spring tip could be broken, but just relying on a camera to adhere to the base may not be enough. However, JerryRigEverything's Tapplock test lock does not have this protruding spring tip, but the Tapplock test lock we purchased has this spring tip. Therefore, we pulled hard on the camera adhesive base and finally failed to open it according to JerryRigEverything's method. Tapplock back cover.
Now, we turn to Bluetooth Low Energy (BLE) for testing. Unexpectedly, we discovered some incredible things through this. Generally, I like to read some time-consuming and in-depth creative IoT hacking articles, but let’s not go around here and get straight to the point. In less than 45 minutes, we need to complete the crack and unlock of Tapplock.
First of all, we discovered that there is no transmission encryption mechanism in the HTTP communication of the Tapplock mobile APP. This is 2018, not in ancient times, which is completely surprising.
As can be seen from the above network analysis, every time I use BLE to connect to Tapplock, a "random" string will be sent to the Tapplock end. These strings seem to be related to Tapplock. Commands to communicate. 
But it is also worth noting that no matter how many times I perform connection requests to Tapplock, these string data remain unchanged. As can be seen from the following command line execution of the Bluetooth exploit tool gatttool, Tapplock is also vulnerable to replay attacks. 
Because the Tapplock mobile APP allows users to share Tapplock padlocks with other people, or revoke the usage permission within a certain period. Therefore, I shared the test lock with other users, and then captured the BLE communication data and found that this method of sharing Tapplock between users is completely the same as a normal single user's control of Tapplock, that is, even if You have revoked the unlocking permissions of other shared users, but other users can still obtain all the information for unlocking authentication through communication data packet capture. This information can be used to authenticate and unlock Tapplock, which is no different from a single control user. What a difference. This is a bit like the problem with the Ring Smart Doorbell, where it is impossible to revoke another user with high unlock permissions.
Tapplock smart padlock is not equipped with a proper factory reset mechanism. Using an account can only delete its corresponding padlock information, but not the corresponding unlocking data. The retained unlocking data is sent to or from the server to Tapplock. Therefore, an attacker in a suitable position in the network can intercept these unlocking data and use these data to indirectly unlock Tapplock.
This is no small problem. Stop talking nonsense. Being able to unlock the lock is the key point. Now we need to analyze how the random data unlocks the lock.
After a few minutes of research and analysis, I found the specific function method paired with the Tapplock padlock unlocking process:
public void regularPair(String str, byte[] bArr, byte[] bArr2) { bArr = getCMD(CMD_PAIRING_REGULAR, bArr, bArr2);
send(str, bArr);
str = TAG;
bArr2 = new StringBuilder();
bArr2.append("Regular pair called, send ");
bArr2.append(BluetoothTool.byteToStr(bArr));
Log.e(str, bArr2.toString());
}
In this method, the Tapplock padlock is sent Fixed command CMD_PAIRING_REGULAR containing two double-byte arrays. These two double-byte arrays will read the following corresponding information:
this.bluetoothCenterManager.regularPair(lockMacAddress, BluetoothTool.strToBytes(lockInfo.getKey1()), BluetoothTool.strToBytes(lockInfo.getSerialNo( )));
The valid information is Key1 and SerialNo. Where are they sent from? It turns out that when the lock is initially paired, the above information is indirectly converted into the Bluetooth MAC address of the Tapplock padlock through the keyAndSerialNo method. The keyAndSerialNo method is as follows:
public static String keyAndSerialNo(String str, String str2) {
str = AndroidTool.md5(str.toUpperCase()).toUpperCase();
if (str2.equals(KEY_ONE) {
str = str.substring(0, 8);
} else if (str2.equals(KEY_TWO) {
str = str.substring(8, 16);
} else if (str2.equals(SERIAL_NO) {
str = str.substring(16, 24);
}
return str;
}
Here, it will capitalize the Bluetooth MAC address of the Tapplock padlock, and then convert it into an MD5 hash value, of which 0 to 7 characters are key1 and 16 to 23 bytes is the SerialNo serial number.
Yes, the only thing you need to know to unlock Tapplock is Tapplock’s Bluetooth MAC address, and this MAC address is broadcast by Tapplock. I was immediately shocked by this poor security, so I ordered another Tapplock and confirmed the authenticity of the Tapplock padlock and its APP.
Finally, I wrote an attack script to scan the Tapplock padlock and unlock it. This script can unlock any Tapplock in less than 2 seconds, without any advanced knowledge or skills. . Later, I will transplant this script into an Android application to make the entire unlocking operation more convenient and faster. Overall, the cost of unlocking a Tapplock padlock is very low. The security of Tapplock smart padlock is shameful. This approach is disrespectful to consumers, and I am speechless. 
Tapplock claims to be anti-shimming. It uses a traditional approach in the lock bolt, which is to extend another level of bite into the lock. port, which prevents an attacker from shimming the latch. However, the bite opening of Tapplock is relatively thin and is somewhat far away from the joint point of pressure.
Also, with a 12-inch bolt cutter, you can cut out the Tapplock bolt in less than 10 seconds:
As a smart padlock, Tapplock’s security mechanism is actually very clear, which is to prevent attackers from opening the lock. The security level of a lock depends on its own threat model design. A correct security design can slow down the attacker's attack on the lock to some extent, and there will be no security loopholes that can be exploited. As a smart padlock in the IoT era, the security of Tapplock is simply worrying. It can be unlocked in less than 2 seconds. But when I reported this issue to Tapplock officials, they actually replied to me:
“Thanks for your note. We are well aware of these notes.”
Thank you for your note. Report reminder, we are aware of these issues.
Ah, it turns out that while Tapplock officials were aware of these problems, they not only failed to repair them, but also continued to sell these locks without letting consumers know about them. This totally shocked me.
The above is the detailed content of How to use Bluetooth function to attack and unlock Tapplock smart padlock within two seconds. For more information, please follow other related articles on the PHP Chinese website!
![[Web front-end] Node.js quick start](https://img.php.cn/upload/course/000/000/067/662b5d34ba7c0227.png)
