The U.S. Federal Trade Commission (FTC) on Monday announced that Tapplock, a Canada-based maker of smart padlocks, has entered into a settlement with agency over allegations that it falsely claimed it locks were “unbreakable” and that it took reasonable steps to secure user data.
According to a statement, Tapplock will be now be required to “implement a comprehensive security program and obtain independent biennial assessments of the program.”
“We allege that Tapplock promised that its Internet-connected locks were secure, but in fact the company failed to even test if that claim was true,” said Andrew Smith, Director of the FTC’s Bureau of Consumer Protection. “Tech companies should remember the basics—when you promise security, you need to deliver security.”
According to the FTC, security researchers identified both physical and electronic vulnerabilities that allowed them to unlock Tapplock’s smart locks by, for example, unscrewing the product’s back panel or exploiting the unencrypted Bluetooth connection between the app and the lock. Other electronic vulnerabilities prevented consumers from effectively revoking access to their locks and allowed researchers to bypass the account authentication process and access Tapplock user accounts, including their usernames, email addresses, profile photos, location history, and precise location of the lock.
The FTC also alleged that Tapplock failed to implement a security program or take other steps that might have helped the company discover electronic vulnerabilities with its locks.
In addition to the security program provision, the proposed settlement prohibits Tapplock from misrepresenting its privacy and security practices. Tapplock will also be required to obtain third-party assessments of its information security program every two years. In addition, the FTC has authority to approve the assessor for each two-year assessment period.