avatarRuining All Your Branding

Summary

The article discusses the failure of Tapplock's smart lock to deliver on its security promises, leading to an FTC complaint, despite having a Bug Bounty program.

Abstract

Tapplock, a Canadian company, faced scrutiny after its smart lock was effortlessly bypassed by a magnet, highlighting significant security flaws despite claims of robust security. The Federal Trade Commission (FTC) cited Tapplock for false advertising and inadequate cybersecurity practices, including unencrypted Bluetooth communication and API authentication issues. The article emphasizes the importance of comprehensive security measures beyond just Bug Bounty programs, such as security-by-design, regular testing, and experienced security teams. It also criticizes the industry trend of hiring inexperienced or hybrid teams for security roles, suggesting that this practice is insufficient and that true security expertise is crucial for product integrity and reputation.

Opinions

  • Advertising a product as 'secure' is risky and often ends poorly, as true security is difficult to maintain indefinitely.
  • The FTC's complaint against Tapplock underscores the seriousness of false security claims and the need for companies to deliver on their promises.
  • Bug Bounty programs alone are insufficient for ensuring security; they must be complemented by a comprehensive approach to cybersecurity.
  • Cutting corners in cybersecurity can lead to costly breaches and damage to a company's reputation, which far outweigh the savings from not investing in proper security measures.
  • The trend of hiring hybrid teams for security roles is ineffective; true professionals with a singular focus on security are essential.
  • There is a concern about the current state of recruitment in the cybersecurity industry, where inexperienced recruiters may overlook highly qualified candidates in favor of those who meet keyword-based criteria.
  • The article suggests that there is a lack of diversity in hiring, particularly in terms of age, which may lead to a loss of wisdom and experience in security teams.
  • The author advocates for investing in knowledgeable and experienced security professionals to truly secure products and organizations.

The Tale of the Smart Lock That Doesn’t Actually Lock Anything

Don’t advertise that your product is ‘secure’. It never ends well.

Still taken from TappLock’s Facebook page.

Don’t advertise that anything is ‘secure’. It never ends well. In fact, nothing is secure. Nothing stays secure forever.

Any lock safeguards personal possessions and within that inherent trust, advertising and smart technologies should provide the average end user robust security controls as said user likely envisions. On March 27th, 2020, the ever famous LockPickingLawyer bypassed a pricey Tapplock device with a $25 magnet, but other more pressing security concerns were present regarding its technical design despite an active Bug Bounty Program. On April 6th, 2020, Tapplock was cited in a complaint from the Federal Trade Commission (FTC) for claiming their lock was secure but failing to deliver on that promise (5, 6).

In the United States, the Federal Trade Commission oversees fraud and false or deceptive advertising, including those around data security within the United States and businesses in any country that markets to United States users, such as the Canadian company, Taplock. Thus Taplock can be cited as negligent by the use of advertising and technical controls. The FTC complaint had nothing to do with the YouTube magnet unlock but it's fairly outrageous that so many security flaws existed despite advertisement claims. Sadly, if the lock had been tested for even basic security perimeters prior to release, these findings would be listed as bugs for their development team to fix rather than headline news.

Tech companies should remember the basics — when you promise security, you need to deliver security. - Andrew Smith, Federal Trade Commission

Notable issues, according to the Complaint, including being cited for not having appropriate cyber security practices, and training, are as follows:

  1. Egregious API Authentication issues that allowed open access
  2. Unencrypted Bluetooth Communication
  3. Including account revocation flaws that exposed keys in clear text
  4. Unlocking the lock by unscrewing the back panel

Advertising Opens A Lot of Doors

One cannot cut corners when it comes to Cyber Security. Everyone knows that Bug Bounty programs are not enough as a security measure alone. The truth is that having a Bug Bounty program is only one element of cyber security and any reasonable business will have both security-by-design and regular testing. For Security-by-design, a security analyst uses technical controls to design your product focusing on security review and threat analysis. Later, auditors validate with internal vulnerability and exploit testing, patch management, intermittent externally sourced penetration testing, internal audits, and if you choose, bug bounty programs. All of the above skills are difficult to find and costly but invaluable parts of the SDLC. In nearly every case, attempts to cut corners save likely only a fraction of the cost of a compromise, breach, widely known bug, or more importantly, the loss of reputation.

Still from Tapplock Website.

Generally, in my experience, cutting corners by hiring hybrid teams to do security work is never a good idea as true professionals are needed who can segment/focus on just security matters and also have the experience to run the full gamut. Supposedly, there is a skills gap in the industry right now with a lot of need, but no actual hiring, likely because of inexperienced recruiters who do not know what to look for (though there are tons of professional recruiters who are really superb! For the first time in decades, security teams have a budget but are pressured to consolidate their workforce with hybrid teams who cannot focus on security and have valid checks/balances in place to stay objective. True security teams report to legal, and have a relationship with executives but sit above Information Technology within an organization to avoid conflict of interest.

Bad Advertising and Inexperienced Talent are a Risk

Image from the FTC Complaint and Tapplock Marketing material (2)

Bad advertising (hype) in technology and cyber security has been around since the beginning but in today’s world, we are starting to see repercussions. It seems like the Tapplock team did everything right in regard to maintaining a secure appearance via advertising but had they invested more in testing their product, it could have been more secure and less of a risk to the public. The Internet of Things is a wild wild mess, however the US National Institute of Standards and Technology (NIST 8259) has had a draft in works for recommendation on IOT design for quite some time. The world is slowly realizing that despite advertising techniques, the word ‘ Smart’ doesn’t mean private or secure, but instead, IOT. Next, as an industry, we should correct terminology using RAS Syndrome as a marketing technique, like ‘Continuous Monitoring’, or the term PIN Number or ATM Machine, and today’s archaic incorrect moniker for connected devices: ‘smart’.

Concluding, had Tapplock had additional checks and balances, this could have likely been a different story all together about a successful lock instead of a step-lock of disaster. I hope their next product has better controls in place and that companies like them invest in the right experienced professionals for internal review. Hybrid teams don’t work, wisdom does.

One can’t merge development and security to cut corners. Efficiency is key, but accuracy is paramount and preparation can’t be done yesterday.

Wisdom should be valued in Security Talent

Such is a true industry problem and I feel like this is the place to state it: Lately I’ve seen a trend of inexperienced recruiters trained to look for keywords placing new or mid level candidates in senior roles and skipping overqualified candidates because of lack of depth in understanding. Or something silly like they don’t understand why someone would not want to list Bug Bounties on their resume (if you can’t tell me why, that's part of the problem). There are TONS of security professionals actively looking right now, including myself, but unable to get passed the gatekeepers of bad recruiting. A good team will help design, build, test, and launch your product and application with less risk involved, and that involves a wide variety of skills. It takes all of 10 minutes to find someone of calibur who is looking for a role, and I don’t understand the duplication of inexperienced recruiters over truly seasoned professionals. Hopefully, good recruiters will see talent when it's right in front of them, but they likely won't be able to rely on keywords to place the senior candidates with true skills as they need an understanding of what to look for and likely decades of experience in the industry.

Ageism isn’t the cause of TappLock’s issues but could be the cause of what would appear to be a lack of maturity around the cyber security process. An inexperienced and homogeneous team can be dangerous to anyone’s business agenda. For example, in the last 15 years of my career within any given workforce, I’ve seen a menagerie of ages, genders, and gender identities. Now that the Boomers have started to retire I’m starting to see only 20-somethings hired by organizations and I’m wondering how aesthetic seems to supersede knowledge or wisdom when it comes to securing a product. Are we taking our best talent and sending them to pasture in favor of aesthetics/perception? How does that seem like a winning move regarding risk or investment? Let us get ‘smart’ about risk and strategy.

Invest in wisdom, invest in age.

Secure your organization w/ knowledgeable professionals :)

random meme

Citations & References

Like this story? Check out a list of all articles. Don’t forget to clap, subscribe, or become a member! If you’re feeling generous, leave me a tip! If you’re curious about sources, on a separate page because long citations tank my stats!

The opinions and thoughts expressed on this platform reflect only the author’s views alone. Images/passages within this publication may contain certain elements of artificial intelligence; but unless specified, have been edited for this article. This image originates from OpenAI/ChatGPT (2024).

Security
Cybersecurity
Tech
Technology
Digital
Recommended from ReadMedium
avatarDr. Lutz Kraushaar
Your Coronary Artery Calcium Scan: How to decipher your CAC score

What the CAC scan really tells you, who should take the test, and how to use it for improved shared decision making with your doctor.

13 min read
avatarThe Medium Newsletter
The 365 most famous quotes of all time, and more longreads for your weekend

Issue #158: emails from *that* CEO and leading with conviction

3 min read
avatarVijay Gupta
Shodan: The Most Dangerous Search Engine

Introduction

13 min read
avatarAlexander Nguyen
The resume that got a software engineer a $300,000 job at Google.

1-page. Well-formatted.

4 min read
avatarDan Foster
There is No Hate Like ‘Christian’ Love

Seven unloving things Christians do in the name of “love.”

12 min read
avatarOssiana Tepfenhart
Korea’s Shocking Incel Problem Is So Much Worse Than You Think

No, for real, this is terrifying.

10 min read