The Federal Trade Commission (FTC) has approved a settlement with Canadian smart lock maker Tapplock, which allegedly falsely claimed that its devices were designed to be “unbreakable.”
Toronto-based Tapplock, Inc. is an Internet of Things (IoT) technology company that provides smart security solutions for both business and end-users alike. It sells Internet-connected smart fingerprint padlocks that interact with users’ mobile devices when within Bluetooth range.
According to the FTC, although the company advertises its locks as highly secure, these devices are not secure. Moreover, the commission claims that Tapplock hasn’t taken reasonable precautions, and failed to follow industry best practices and keep collected consumer data secure.
Personal information collected by the Tapplock app includes usernames, email addresses, profile photos, and the smart lock’s precise location.
Security researchers have identified both physical and electronic vulnerabilities in Tapplock’s devices, allowing easy access to attackers. Moreover, users cannot effectively revoke access to their locks and the account authentication process can be bypassed, resulting in leaked personal information.
In its complaint, the FTC also alleges that Tapplock failed to take the necessary measures that would have helped it identify electronic vulnerabilities in its locks.
Last week, the agency approved a settlement initially announced in April. The settlement requires Tapplock to implement a security program and prohibits the company from misrepresenting its privacy and security practices.
Furthermore, the IoT provider is required to subject its information security program to third-party assessments every two years, and the commission has authority to approve the assessor for each two-year period.
“After receiving no comments, the Commission voted 5-0 to finalize the settlement,” the FTC announced.