1. 29

  2. 6

    I thought this was already posted here, but it’s talking about the poor security in the cloud system.

    1. 5

      I’d love to read their post-mortem. They failed at like all possible steps :D

      1. 24

        They appear to have quite a successful business selling multiple locks to infosec bloggers.

        1. 2

          God, that’s brilliant. Just continually create minimal IoT products and trick bloggers into tearing them down after buying them.

        2. 3

          Sure the execution was badly done, but the entire concept was appalling to begin with. Adding fragile battery-powered electronics to a padlock is already pretty stupid. Adding a radio-frequency attack surface to that is stupider. But putting the whole thing on the internet is really the cherry on top. Who the hell buys these products?

          I hope the ridicule this story generates helps a little more of the general public see the implicit “Id” prefix in front of “IoT”.

          All that said…. remember when one of the world’s most reputable bike-lock makers got embarrassed to the point of recalling multiple product lines, all because of a PoC video featuring a Bic pen? Shit happens, in the consumer lock biz no less than anywhere else.

          1. 1

            Well, there’s this, but it’s disappointing. David Tao fucked up massively, and his professional credibility will suffer massively if he doesn’t fix it quick.

          2. 5

            The sad thing is, I suspect this isn’t the “world’s worst” or in fact much worse at all than any other smartlock–I bet they’re all this bad.

            1. 1

              Yeah, I mean, this might be a local maxima of awful, but as software metastasizes through all sorts of new ecosystems, we’ll have to continue to revise the bar upwards.

            2. 5

              Tapplock user? Get and install any and all patches provided. Apparently, the company has now addressed the most obvious web portal holes (guessable account IDs and no HTTPS), but we assume an app update will be needed as well.

              After all that’s come out about the product and company’s practices, why isn’t the advice just “return it”?