A company that creates smart padlocks has settled with the Federal Trade Commission (FTC) after the agency alleged that its devices left users’ data at risk because of “reasonably foreseeable” vulnerabilities.
The FTC found that Tapplock was deceptive in its representation of providing security and deceptive in its representation of protecting personal information. Essentially, the agency found that Tapplock was marketing its products as secure, when in reality, they were not.
“We allege that Tapplock promised that its internet-connected locks were secure, but in fact, the company failed to even test if that claim was true,” Andrew Smith, the director of the FTC’s Bureau of Consumer Protection, said in a statement. “Tech companies should remember the basics—when you promise security, you need to deliver security.”
Tapplock sells padlocks that connect to the internet and require a fingerprint to unlock. The locks linked with an app that could unlock the device if they were in range of it via Bluetooth.
The FTC found that Tapplock’s devices had “both physical and electronic vulnerabilities” that they called “reasonably foreseeable” if the company had “implemented simple, low-cost steps.”
Those vulnerabilities allowed FTC researchers to unlock the devices by unscrewing a back panel or exploiting an unencrypted Bluetooth connection between the app and the device.
The agency also said they were able to bypass account authentication and access users’ accounts—showing them usernames, email addresses, profile photos, location history, and where exactly a lock was.
As part of the settlement, Tapplock, a Canada-based company, will need to get a third-party to assess its security practices every two years, and cannot misrepresent its security and privacy practices.