How a consumer can check a product hasn't been designed with security in mind
The good thing about this is that even a consumer could check those things - if any of these three things are missing, my view is don't buy the product:
1) Does it have a default password? (I don't want it).
2) Can people report security vulnerabilities to the manufacturer? (check website - no? I don't want it).
3) Can I update the software and for a period that I know about? (No - I don't want it).
I've described these things before as insecurity canaries - if the vendor is not adhering to some basic things that anyone can check, what does the rest of the product look like under the bonnet?
If you go to the /security page of Tapplock's website you get a "coming soon" screen (yes I know, I thought that somewhat amusing too). So this already means I can't easily report security vulnerabilities to them. To be fair, there is a lot of good practice out there that just needs adopting. There is an window of opportunity for IoT vendors and service providers to get it right before governments start bringing out the big stick. At the moment consumers are being defended by a small band of concerned security researchers who are demonstrating just how poorly secured some of these products really are.