More Pain and Suffering for Tapplock?

Hacking padlocks using Web Bluetooth

Alasdair Allan
2 min readJun 29, 2018

It seems we’ve not reached the end of the Tapplock story. After previously discovering that the company behind the security compromised lock had based their code on the Nordic Semiconductor’s generic UART service, Don Coleman, my co-author on “Make: Bluetooth,” decided to investigate further.

The Tapplock (📷: Don Coleman)

Coleman went ahead and put together a Web Bluetooth application to scan for, and then unlock, any Tapplocks in range.

“I’m finding locks by scanning for the advertised UUID 6e400001-b5a3-f393-e0a9-e50e24dcca9e, which is Nordic’s generic UART service so it finds other devices. Since Web Bluetooth can’t get the the MAC address, I use the 55aa9a0100009a01 command to have the lock tell me it’s MAC address.” — Don Coleman

Unlocking a Tapplock using Web Bluetooth. (📷: Don Coleman)

His demo application should work in the Chrome browser on most platforms including macOS, Android, Chrome OS, and on Linux. Although on Linux, you may have to enable experimental platform features.

“The big win with my code is that I can get the lock to tell me it’s MAC address so it works with platforms that hide the MAC address like Web Bluetooth, macOS and iOS. For what it’s worth I have an iOS unlock app now as well.”Don Coleman

However it turns out that even the current software running on the Tapplock padlock is actually a big improvement over previous releases of the lock’s software.

Earlier Tapplocks don’t need anything more than a static Bluetooth LE packet to force the shackle to unlock. It turns out that older versions of the firmware had a hard coded key.

This is seriously bad practice, as it’s trivially easy to download an Android APK and decompile it.

In fact, given the large number of cheap locks now appearing on Amazon, I’m starting to think that a lot of people will be having fun with padlocks at this year’s HOPE conference in New York in a few weeks time.

The Tapplock story all began with a video, and one that concentrated on the physical, rather than software security, of the lock. But that video brought so much attention on to it that the Tapplock is now fast becoming a poster child for the all the problems around the Internet of Things.

It’s very obvious that we all need to start looking more closely at our smart devices. From manufacture, to final disposal, we need to encourage our industry to make different and more ethical design choices. Because things just can’t continue as they are, as an industry we need to do better.