January 15, 2021

Volume XI, Number 15

Advertisement

January 15, 2021

Subscribe to Latest Legal News and Analysis

January 14, 2021

Subscribe to Latest Legal News and Analysis

January 13, 2021

Subscribe to Latest Legal News and Analysis

Smart Lock Manufacturer Settles Alleged False Security Claims with FTC

Canadian company Tapplock, Inc. sells smart locks to the U.S. market that the company advertised as “sturdy,” “secure,” and even “unbreakable.” Tapplock’s assurances that the locks were strengthened with “double-layered lock design” and made with “anti-shim and anti-pry technologies” could be quite an enticement for consumers looking for top-of-the-line connected home security. There was a small problem with Tapplock’s claims, however: three researchers hacked into the locks using several methods – one simply by unscrewing the product’s back panel in a few seconds. The locks are not so smart after all, according to the Federal Trade Commission (FTC), which issued a complaint alleging the company’s locks contained vulnerabilities that made them anything but unbreakable.

Tapplock’s padlocks are fingerprint enabled and open via a mobile app when the user is within Bluetooth range. The app logs usernames, email addresses, profile photos, location history, and geolocation of a user’s smart lock. But researchers found several serious flaws that compromised security. In one case, researchers were able to bypass the account authentication process, gaining full access to the accounts of all Tapplock users and their personal information without being re-directed to the login page. Another vulnerability was the company’s failure to encrypt the Bluetooth communication between the lock and the app, which allowed researchers to lock and unlock nearby Tapplock smart locks. The app also had a flaw that prevented users from effectively revoking access by third parties who were previously authorized.

The FTC alleged that these flaws could have been easily fixed had Tapplock taken reasonable steps to identify possible risks. Standard security measures include conducting vulnerability or penetration testing; taking sufficient measures to detect and prevent users from bypassing authentication procedures to gain access to other users’ accounts; adopting and implementing written data security standards, policies, procedures, or practices; and providing privacy and security training for employees.

Under the proposed settlement terms, Tapplock must implement a comprehensive data security plan that is assessed by an independent third party biennially. The order also prohibits the company from misrepresenting its privacy and security practices.

The FTC’s proposed settlement agreement serves as a reminder that smart device manufacturers must ensure that privacy and security measures are part of the design and that security measures are described accurately. Overselling data security may attract customers in the short term but attracting this kind of attention from the FTC is anything but smart.

Advertisement
© 2020 Keller and Heckman LLPNational Law Review, Volume X, Number 105
Advertisement

TRENDING LEGAL ANALYSIS

Advertisement
Advertisement

About this Author

Sheila Millar, Keller Heckman, advertising lawyer, privacy attorney
Partner

Sheila A. Millar counsels corporate and association clients on advertising, privacy, product safety, and other public policy and regulatory compliance issues.

Ms. Millar advises clients on an array of advertising and marketing issues.  She represents clients in legislative, rulemaking and self-regulatory actions, advises on claims, and assists in developing and evaluating substantiation for claims. She also has extensive experience in privacy, data security and cybersecurity matters.  She helps clients develop website and app privacy policies,...

202-434-4646
Tracy Marshall, Keller Heckman, regulatory attorney, for-profit company lawyer
Partner

Tracy Marshall assists clients with a range of business and regulatory matters.

In the business and transactional area, Ms. Marshall advises for-profit and non-profit clients on corporate organization, operations, and governance matters, and assists clients with structuring and negotiating a variety of transactions, including purchase and sale, marketing, outsourcing, and e-commerce agreements.

In the privacy, data security, and advertising areas, she helps clients comply with privacy, data security, and consumer protection laws, including laws governing telemarketing and...

202-434-4234
Advertisement
Advertisement