If your business makes “smart” devices, you’ll want to read about Tapplock’s settlement with the FTC. It’s one more example of why businesses in the Internet of Things (IoT) space need to think about privacy and security when designing connected products.
Tapplock, Inc. is an IoT company that sells Internet-connected fingerprint-enabled padlocks, called smart locks. The smart locks interact with an app that lets users lock and unlock their smart locks when they’re within Bluetooth range. Tapplock advertised its smart locks as having an “unbreakable design” and being “Bold. Sturdy. Secure.” Tapplock also said that it took “reasonable precautions” and followed “industry best practices” to protect personal information.
According to the FTC’s complaint, though, Tapplock’s smart locks were not secure. In fact, a researcher was able to open one within seconds simply by unscrewing the back panel. Researchers also discovered several security vulnerabilities that Tapplock could have avoided with simple, low-cost steps. For example:
- A vulnerability on Tapplock’s API allowed researchers to bypass account authentication and gain full access to all Tapplock users’ accounts. That includes usernames, email addresses, profile photos, location history and precise geolocation of the smart lock.
- Another vulnerability let researchers lock and unlock any nearby Tapplock smart lock. Why? Tapplock did not encrypt the flow of data between the lock and the app. So researchers could easily identify and generate keys needed for unlocking.
- A third vulnerability prevented users from effectively revoking access to their smart lock once they had provided other users access.
The FTC’s two-count complaint alleges that Tapplock engaged in deceptive acts or practices in violation of Section 5 of the FTC Act by falsely representing: (1) that its smart locks were secure and (2) that it took reasonable precautions and followed industry best practices to protect consumers’ personal information.
The FTC’s settlement bans Tapplock from making deceptive statements about security of a device or privacy of personal information. It also requires Tapplock to implement a comprehensive security program, including employee training. Finally, the company must get biennial third-party assessments and must certify compliance annually.
If your IoT business wants to avoid similar mistakes, here are some things to keep in mind:
- Implement “security by design.” Build security into your products at the outset. Conduct vulnerability and penetration testing before releasing a product.
- Encourage a culture of security. Create written security standards and designate a senior executive who is responsible for product security. Train staff to recognize vulnerabilities and reward them if they speak up.
- Design your product with authentication in mind. Authentication is a must in the Internet of Things. With connected devices, an authentication failure will allow access not only to the device, but also to networks to which it’s connected.
- Take advantage of what experts have already learned about security. For example, standard encryption techniques are available for data that devices transmit and store. Any time your app transmits usernames, passwords, API keys, or other important data, use transit encryption.
- Protect the interfaces between your product and other devices or services. A security weakness at the point where a service communicates with your device could give scammers a foothold into your network. That’s why each of those interfaces needs to be secured.
For more guidance, check out Careful Connections: Building Security in the Internet of Things and App Developers: Start with Security.
The purpose of this blog and its comments section is to inform readers about Federal Trade Commission activity, and share information to help them avoid, report, and recover from fraud, scams, and bad business practices. Your thoughts, ideas, and concerns are welcome, and we encourage comments. But keep in mind, this is a moderated blog. We review all comments before they are posted, and we won’t post comments that don’t comply with our commenting policy. We expect commenters to treat each other and the blog writers with respect.
We don't edit comments to remove objectionable content, so please ensure that your comment contains none of the above. The comments posted on this blog become part of the public domain. To protect your privacy and the privacy of other people, please do not include personal information. Opinions in comments that appear in this blog belong to the individuals who expressed them. They do not belong to or represent views of the Federal Trade Commission.