Is Tapplock One secure?

The company makes great claims about the security of its padlock, but shortly after its release security researchers have managed to get past its defences. 

Not only have they found it is possible to snip through its supposedly super-tough zinc-alloy case with a pair of bolt cutters, but in publishing a report for Pen Test Partners Andrew Tierney has discovered that the Tapplock One openly broadcasts its Bluetooth Mac address. This is used to calculate the software key necessary for unlocking the shackle, which makes it possible – admittedly with some know-how required – to hack in seconds with only a Bluetooth-equipped phone to hand. A patch has been released for the vulnerability.

A second researcher, Vangelis Stykas, has discovered flaws in the companion app, which he notes does not support https. With Tierney’s login Stykas was able to add himself as a second user to the Tapplock and then see Tierney’s address – where the lock was likely to be located. His full findings are in his blog.

YouTuber JerryRigEverything has also successfully hacked the Tapplock One, though the company insists his device is faulty and what he was able to achieve is not possible with correctly functioning devices. Following extensive quality control checks they have been unable to find any other defective devices and replicate the fault. JerryRigEverything managed to unscrew the back of the device by fixing a GoPro mount to it, then once inside he was able to unscrew the internals with a standard screwdriver and unlock the Tapplock.

So it’s becoming increasingly obvious that the Tapplock One does not offer the level of security it claims, and in fact is really no more secure than most standard padlocks. In reality the chances of someone stumbling across your Tapplock One, knowing how to hack it and bothering to do so are pretty slim, but it’s a definite possibility. As is most often the case, if someone really wants to get in then they will.

How to buy Tapplock One

Tapplock is a US-based company that is happy to ship orders to the UK via FedEx, but with a hefty shipping price of $38. That means you’ll pay a total $137 for the Tapplock One, although a current discount takes this down to $123. Converted to Sterling that’s around £97, or £87 with the discount. Further discounts are available on multipacks.

Do note that a week after we posted this review we were invoiced for £17.73 import duty from FedEx, so do budget for that in your purchasing decision.

So why would you pay such a huge chunk of money for something you can buy in the pound shop for a quid? 

Why buy a Tapplock One?

Tapplock claims this isn’t some flimsy padlock that you could crack open like a nut. It says it’s as tough as they come, with a zinc-alloy case and 7mm stainless steel reinforced shackle that is practically unbreakable. You can’t shim the lock using a pick in the way you would with a standard keyhole lock, and you won’t be able to pry it open.

Well that’s what Tapplock claimed, but as you’ll read above its security is now being brought into question. It’s still a cool padlock, but with this information in mind you should carefully consider whether you’re looking for a deterrent for opportunists, or something that will keep even the most determined thieves out – how valuable is that thing you’re wanting to lock away?

Not having super-human powers we had previously been happy to take Tapplock’s word on the latter. From what we are able to tell it’s a very well-built padlock that is reassuringly weighty at a colossal 308g. This thing feels like it means business, but if you’re intending to carry it around then you should note that you will feel its presence in your rucksack.

It’s also water-resistant – rated IP66 – which means you could use it outdoors, or to secure your possessions in a locker in a swimming pool changing room. Be aware that it is waterproof only with the shackle closed, however, so take care not to allow water inside the lock as you release it.

We’re increasingly seeing tech that claims to be water-resistant, particularly in the smartphone market. But although such tech will survive a dip their screens will be inoperable until they’re dried off. The Tapplock One has an integrated fingerprint sensor that we found suffers the same fate: while water won’t damage the lock, you won’t be able to use it until you’ve dried your fingers and the fingerprint scanner itself.

In dry conditions the fingerprint scanner is very effective. You must first tap the small button on the underside of the lock to wake the device, then place your finger over the scanner. It reads your fingerprint and unlocks the device in 0.8 seconds, and gets faster each time you use it. 

We’re particularly impressed with its ability to store 500 fingerprints, which means you can register not only all your own digits but also those of your family members, or perhaps work colleagues if you’re planning to lock up some shared storage.

The companion app lets you record and manage those fingerprints, as well as set up a Morse code unlock sequence. This comes in handy at times when you can’t use the fingerprint scanner: you tap the button three times, then enter a sequence of long- and short presses of the shackle to unlock Tapplock One. You can unlock it over Bluetooth when it’s near your phone, too.

One of our primary concerns with the Noke was its use of a non-rechargeable battery that must be replaced before it runs out, with the assumption that you would keep an eye on this kind of thing within the companion mobile app or carry around a spare. You can keep watch on this much more easily in the Tapp app, which gives you an exact percentage of the remaining battery power, but you don’t need to because the LED will flash red when the juice is getting low.

In its favour the Tapplock One has a rechargeable battery that Tapplock says will last for around a year or 3,500 unlocks. When it’s time to refill the battery a charging cable is included, though it’s a proprietary cable so you’ll have to take care not to lose it if you’ll be using it only once a year.

Marie is Editorial Director at Foundry. A Journalism graduate from the London College of Printing, she’s worked in tech media for more than 17 years, managing our EMEA and LatAm editorial teams and leading on content strategy through Foundry’s transition from print, to digital, to online - and beyond.