Security Experts:

Connect with us

Hi, what are you looking for?



FTC Settles With Canadian Smart Lock Maker Over Security Practices

The Federal Trade Commission (FTC) has approved a settlement with Canadian smart lock maker Tapplock, which allegedly falsely claimed that its devices were designed to be “unbreakable.”

The Federal Trade Commission (FTC) has approved a settlement with Canadian smart lock maker Tapplock, which allegedly falsely claimed that its devices were designed to be “unbreakable.”

Toronto-based Tapplock, Inc. is an Internet of Things (IoT) technology company that provides smart security solutions for both business and end-users alike. It sells Internet-connected smart fingerprint padlocks that interact with users’ mobile devices when within Bluetooth range.

According to the FTC, although the company advertises its locks as highly secure, these devices are not secure. Moreover, the commission claims that Tapplock hasn’t taken reasonable precautions, and failed to follow industry best practices and keep collected consumer data secure.

Personal information collected by the Tapplock app includes usernames, email addresses, profile photos, and the smart lock’s precise location.

Security researchers have identified both physical and electronic vulnerabilities in Tapplock’s devices, allowing easy access to attackers. Moreover, users cannot effectively revoke access to their locks and the account authentication process can be bypassed, resulting in leaked personal information.

In its complaint, the FTC also alleges that Tapplock failed to take the necessary measures that would have helped it identify electronic vulnerabilities in its locks.

Last week, the agency approved a settlement initially announced in April. The settlement requires Tapplock to implement a security program and prohibits the company from misrepresenting its privacy and security practices.

Furthermore, the IoT provider is required to subject its information security program to third-party assessments every two years, and the commission has authority to approve the assessor for each two-year period.

“After receiving no comments, the Commission voted 5-0 to finalize the settlement,” the FTC announced.

Related: Massachusetts, Indiana Settle With Equifax Over 2017 Data Breach

Related: InfoTrax Settles With FTC Over Data Breach

Related: Tech Companies Partner to Securely Connect IoT to Cloud

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Risk Management

A threat-based approach to security often focuses on a checklist to meet industry requirements but overlooked the key component of security: reducing risk.


Out of the 335 public recommendations on a comprehensive cybersecurity strategy made since 2010, 190 were not implemented by federal agencies as of December...

Management & Strategy

Microsoft making a multiyear, multibillion dollar investment in the artificial intelligence startup OpenAI, maker of ChatGPT and other tools.

Risk Management

CISA has published a report detailing the cybersecurity risks to the K-12 education system and recommendations on how to secure it.