Watch how easy it is to break into this $100 "smart" lock

Originally published at: https://boingboing.net/2018/06/03/watch-how-easy-it-is-to-break.html

…

So… how much did that GoPro mount cost? (looks like $20 gets you a total of five of the adhesive strips in a pack of three mounts). So… $4 sunk cost regardless of what you get from behind the lock.

Also, before some idiot stuck this on YouTube, how likely was it that any thief was going to waste time and effort dissecting one of these things?

On the plus side, we should eventually get a really funny video if he keeps using a grinder like that…

Although… what he’s missed here is that the thief gets to keep the lock with no permanent damage done… so actually the sunk cost of the mount doesn’t matter. Dang…

…and after all that the whole thing’s just a fucking ad anyway. And not even for a compentent lock, which would make some sense…

How is the whole thing an ad?

The last 90 seconds are an ad. Because it’s a sponsored video.

If the ad were FOR another type of lock that would pretty much throw suspicion on his entire video as being set up. I think it’s better his sponsor isn’t related to the topic of the video.

Someone should tell the manufacturer about this new-fangled invention called epoxy.

The function of penetration testing is to show the client what the attacker already knows. Defeating this lock was trivial. A customer who puts their trust in it may never consider how to defeat it, but anyone with at least half a brain who does will easily do so.

The word lock in the title is unneeded. Any $100 “smart” will turn out to have a mundane flaw.

Ah, so you subscribe to the “blame the discoverer” school of thought when it comes to security vulnerabilities. Do you also blame your doctor when he correctly diagnoses a condition?

Looking at the product and the website, it’s fairly clear that the manufacturer doesn’t know how to make a secure product, just how to make a flashy product. If you attempted to responsibly disclose the issue to them I would bet that the response would be either (a) to totally ignore you -or- (b) to threaten you with legal action. This is the behavior of at least one other manufacturer of crappy locks (including a couple of “smart” locks). The correct solution when dealing with a manufacturer (of any security product, software and hardware) who won’t listen to you is to publish and be damned.

This lock isn’t even trying to be secure. The correct place to put the screw/bayonet/etc. mechanism to begin disassembly of the lock is down the shackle hole, so the lock can only be disassembled when it is open; alternatively have the locking mechanism block the removal of the back when it is locked.

Shrinkage cost US retailers an estimated $50 billion last year.

I used to do R&D for a company in the retail security space, and I was surprised by both the scale and sophistication of the shoplifting operations we were trying to defend against. As an example (full text here)

At his warehouse, he and Garcia-Oyuela would receive stolen OTC, clean the products of anti-theft stickers and security labels, re-package the products into pallets and ship the merchandise to wholesale companies in the New Jersey, according to the charges.

About 1/2 of retail theft is committed by the retailer’s employees, so high value goods (baby formula, allergy medicine, electronics) are routinely secured in the stockroom with consumer locks like this one. I think it’s entirely plausible that a booster ring would take the time to figure out how to bypass the lock and then implement the exploit in-store.

Yes, except that then the very expensive lock is essentially a disposable, since you can’t replace the battery or perform any other routine service that might be required. I think I’m with @RickMycroft on this, it’s an unnecessarily complicated way to address a problem for which many better solutions exist. The only thing that could make this smart lock worse is if it were connected to the IOT.

Just a small OT nitpick. The guy’s name is Zack, not Jerry. His YouTube channel is called JerryRig Everything, apparently named after his grandfather Jerry.

Of concern here is that it seems likely that the lock can be defeated and reassembled in working order, preventing the attacked party from noticing the crime.

Since the Youtube channel seems to have a DIY ethos, they should publish a video about using Metalset Epoxy to improve the security of the Tapplock padlock.

If the layer under the battery were made tamper-proof using epoxy, the battery would still be replacable without exposing the vulnerable mechanical components.

That’s a good point and a valid solution. The battery is a garuanteed PM component, while failure rates for the other internals can be (probably have been) determined in lifecycle testing and are likely pretty low.

Edited for spelling.

Since the cordless rotary grinder was invented, there is no such thing as “locks” anymore is there?

They could give the back-plate a pin or other extension so that it can’t twist off unless the shackle is open. This would mean you can’t open the lock unless you can open the lock.
Since there is a charging port, you don’t have to worry about needing a live battery to replace the battery.

And isn’t this a variant of the tech proposed for “smart” firearms with trigger ‘locks’?

Absolutely. There are lots of ways to make this better, but as configured in the video it’s not tremendously secure.

If my experience designing on-product security devices taught me anything, it’s that the features which permit assembly and operation of a locking mechanism are usually vulnerable to exploitation. Perfect security probably can’t be achieved, only approached, but that’s okay because security is always a value proposition relative to the thing you are trying to protect. A lock doesn’t have to be perfect to make defeating it cost ineffective, but it probably has to be better than this one.

Not blame the discoverer - blame the dumbass who stuck it on YouTube to make money rather than trying to get the product quietly improved.

Gun security doesn’t have to be “smart” to be poorly executed. I don’t think that’s an argument against safes or locks or what-have-you. It may be an argument against guns in homes.