Two serious security holes in the Bluetooth -Tapplock One and Tapplock One Plus locks were discovered and exploited by researchers at the Fraunhofer Institute for Secure Information Technology (Fraunhofer SIT). All they needed was a self-made directional antenna made of potato chip boxes and two commercially available Raspberry Pi.
Tapplock One: Security hole still open
The US manufacturer Tapplock, who was informed of the gaps, has meanwhile responded, but only updated one of the two Bluetooth locks, as the Fraunhofer SIT says . Accordingly, Tapplock has not yet improved on the Tapplock One model. The padlocks can be unlocked with a fingerprint and a Bluetooth connection via an app. Advantage: You do not need to bring your own key with you.
A disadvantage, however, is that the locks can apparently not be cracked with too much effort – at least as long as they offer security gaps like the Tapplock models. The researchers at Fraunhofer SIT were able to successfully implement two attack scenarios in which they did not leave any traces of burglary. According to the researchers, “low technical and financial resources” are sufficient.
More on the subject
- 30 incredible Raspberry Pi projects
Two attack scenarios for Bluetooth locks
If the attack victim locks the lock, the data also run on the attacker. After the lock is locked, the attackers maintain the connection and simply send the communication data necessary to open the lock again.
According to the researchers, opening the lock is also possible via a replay attack. The closing process – Tapplock relies on a challenge-response process – is recorded once, for example with the self-made directional radio antenna. If the lock is unobserved, any number of queries can be started on the lock. A connection to the lock is not necessary. According to Fraunhofer SIT, the previously recorded challenge is repeated after about 30 to 60 seconds – and the lock opens.
