WASHINGTON, D.C. — A Canadian company has settled Federal Trade Commission allegations that it deceived consumers by falsely claiming that its Internet-connected smart locks were designed to be “unbreakable” and that it took reasonable steps to secure the data it collected from users.
The settlement requires Tapplock, Inc. to, among other things, implement a comprehensive security program and obtain independent biennial assessments of the program.
“We allege that Tapplock promised that its Internet-connected locks were secure, but in fact the company failed to even test if that claim was true,” said Andrew Smith, Director of the FTC’s Bureau of Consumer Protection. “Tech companies should remember the basics—when you promise security, you need to deliver security.”
Tapplock sells fingerprint-enabled, Internet-connected padlocks, and has touted in its advertisements that its smart locks were “Bold. Sturdy. Secure,” according to the FTC’s complaint. The company’s smart locks interact with a companion mobile app that allows users to lock and unlock their locks when they are within Bluetooth range.
The FTC, however, alleged that contrary to its representations to consumers, the company’s locks were not secure and that Tapplock failed to take reasonable precautions or follow industry best practices to protect the consumer data it collected.
Security researchers identified both physical and electronic vulnerabilities that allowed them to unlock Tapplock’s smart locks by, for example, unscrewing the product’s back panel or exploiting the unencrypted Bluetooth connection between the app and the lock. Other electronic vulnerabilities prevented consumers from effectively revoking access to their locks and allowed researchers to bypass the account authentication process and access Tapplock user accounts, including their usernames, email addresses, profile photos, location history, and precise location of the lock.
The FTC also alleged that Tapplock failed to implement a security program or take other steps that might have helped the company discover electronic vulnerabilities with its locks.
In addition to the security program provision, the proposed settlement prohibits Tapplock from misrepresenting its privacy and security practices. Tapplock also is required to obtain third-party assessments of its information security program every two years. In addition, the Commission has authority to approve the assessor for each two-year assessment period.
The Commission voted 5-0 to issue the proposed administrative complaint and to accept the consent agreement with the company. The FTC will publish a description of the consent agreement package in the Federal Register soon. The agreement will be subject to public comment for 30 days after publication in the Federal Register after which the Commission will decide whether to make the proposed consent order final. Instructions for filing comments will appear in the published notice. Once processed, comments will be posted on Regulations.gov.
Thanks for visiting! MyChesCo brings reliable information and resources to Chester County, Pennsylvania. Please consider supporting us in our efforts. Your generous donation will help us continue this work and keep it free of charge. Show your support today by clicking here and becoming a patron.