Tapplock FTC

g0d4ather / Shutterstock.com (Licensed)

Smartlock developer settles with FTC after security vulnerabilities found

The FTC settled with Tapplock for misrepresenting how secure its devices were.


Andrew Wyrich


Published Apr 8, 2020   Updated Apr 8, 2020, 3:31 pm CDT

A company that creates smart padlocks has settled with the Federal Trade Commission (FTC) after the agency alleged that its devices left users’ data at risk because of “reasonably foreseeable” vulnerabilities.

Featured Video Hide

The FTC found that Tapplock was deceptive in its representation of providing security and deceptive in its representation of protecting personal information. Essentially, the agency found that Tapplock was marketing its products as secure, when in reality, they were not.

Advertisement Hide

“We allege that Tapplock promised that its internet-connected locks were secure, but in fact, the company failed to even test if that claim was true,” Andrew Smith, the director of the FTC’s Bureau of Consumer Protection, said in a statement. “Tech companies should remember the basics—when you promise security, you need to deliver security.”

Tapplock sells padlocks that connect to the internet and require a fingerprint to unlock. The locks linked with an app that could unlock the device if they were in range of it via Bluetooth.

The FTC found that Tapplock’s devices had “both physical and electronic vulnerabilities” that they called “reasonably foreseeable” if the company had “implemented simple, low-cost steps.”

Those vulnerabilities allowed FTC researchers to unlock the devices by unscrewing a back panel or exploiting an unencrypted Bluetooth connection between the app and the device.

The agency also said they were able to bypass account authentication and access users’ accounts—showing them usernames, email addresses, profile photos, location history, and where exactly a lock was.

Advertisement Hide

As part of the settlement, Tapplock, a Canada-based company, will need to get a third-party to assess its security practices every two years, and cannot misrepresent its security and privacy practices.


Share this article
*First Published: Apr 8, 2020, 3:29 pm CDT