For a product that’s been backed to over $300,000 onIndiegogo— over 500 percent of its original goal — Tapplock is having a bad week in the security department. Specifically, some friendly hackers atPen Test Partnerswere able to crack the Bluetooth-enabled smart lock in seconds using only a cell phone.

Digital Trendswrote about the lockand its “cutting edge encrypted fingerprint sensor” back in 2016, but the $100 smart lock turns out to be pretty vulnerable to security penetration, both in terms of its physical makeup and its security platform.

First, its physical makeup is somewhat compromised. Sure, a pair of bolt cutters can go through the lock like a hot knife through butter but that’s true of most consumer market locks. Never mind that the lock isn’t even waterproof but merely “water resistant.” It turns out the lock is made up of an industrial alloy called Zamak 3, comprised of zinc aluminum more commonly found in die-cast toys and door handles, an element that isn’t strong, is brittle, and melts at temperatures below 800 degrees Fahrenheit. By comparison, an air-only blowtorch burns at more than 3,600 degrees F while an oxygen-fed torch fires up at more than 5,000 degrees.

But that’s not all on the physical security front. Several YouTubers have already put up videos demonstrating the fragility of the lock. On June 1, a user calledJerryRigEverythingwas able to employ a sticky GoPro mount to remove the back of the lock, dismantle it with a screwdriver, and open the shackle. Subsequently, CNETtried the same trickand couldn’t break the lock, so whether the lock is physically secure is still up in the air.

In the meantime, Tapplock has issued a statement that all future lock batches will use proprietary screws in the inside chambers as a secondary protective mechanism. The company is also offering free replacements to any customer who is able to crack the back cover without damaging the lock.

Meanwhile, the company is dealing with the bigger headache of Pen Test Partners being able to break the Tapplock’s internal software inless than two seconds. The process took the penetration testers less than an hour. Not only was the software broadcasting over unencrypted HTTP lines, but the locks are using the same data every time. Any bad actor on the same network can sniff the traffic, grab the unlocking data, and use it to unlock the device into perpetuity. There is no factory reset for the lock.

“This level of security is completely unacceptable,”wrotePen Test Partners researcher Andrew Tierny. “Consumers deserve better, and treating your customers like this is hugely disrespectful. To be honest, I am lost for words.”

When informed of the back, Tapplock’s backerPishon Labtold Tierny, “We are well aware of these notes.”

Subsequently, the company says that it is upgrading its QA process and pushing out a security patch to address its software vulnerability. Its QA procedures now include a 2-step inspection to ensure the lock’s spring-pen mechanism is effective, while a software patch upgrades the security protocol that includes additional authentication steps. The patch involves an app update as well as a firmware update, administered via the company’s proprietary app.

Pishon Labs also offeredthanksto Pen Test Partners for “the timely prompt and ethical disclosure.”