When it comes to smart lock security, users often worry that a hacker could bypass a device’s built-in security to gain access to their home. However, Bitdefender has discovered a new vulnerability in the August Smart Lock Pro + Connect which could give a hacker full access to a user’s entire Wi-Fi network.
PCMag has partnered with Bitdefender’s IoT security team to gain insights into the security flaws that affect smart home devices and the news outlet has released a new report on the matter while the security firm has published a white paper titled “Cracking the August SmartLock: WiFi Password Eavesdropping Made Easy”.
During its latest round of testing IoT devices, the firm’s security team led by Alex”Jay” Balan decided to look into the August Smart Lock Pro + Connect to see if any vulnerabilities were present in the device. The smart lock is controlled using a smartphone app which connects to the device using Bluetooth Low Energy (BLE) when in range or over the internet when a user is away from their home.
Bitdefender’s security team found that all commands between the app and the smart lock are encrypted and “cannot be intercepted or modified”. Additionally, August’s Connect bridge only works if a user has an August lock registered to their account.
Smart lock vulnerability
The August Smart Lock Pro + Connect needs to connect to a user’s local Wi-Fi network to function. To configure the device, users need put their smart lock into setup mode which causes it to act as an access point and the app passes along their Wi-Fi login credentials to the device.
However, Bitdefender’s team discovered a problem with this system as the credentials are not protected in any way during this exchange. This means that a hacker listening to the network would be able to capture these credentials and gain full access to a user’s network. The hacker would need to be spying on the network at the exact moment the exchange takes place to capture a network’s credentials but the researchers were able to find a way to force reentry of the credentials.
August did build encryption into its app so a hacker snooping on a Wi-Fi network would be unable to steal these credentials outright. However, the company hard-coded the encryption key into the their smart lock’s firmware. According to Bitdefender, the key is encrypted using a very simple cipher called ROT-13.
Bitdefender informed August of its findings last December and the hardware maker responded with a proposal for mutual disclosure that was set to take place in June of this year. Communication between the two companies broke down though and Bitdefender decided to disclose the vulnerability itself following a 90-day period in which August could make the necessary fixes to its smart lock.
When PCMag reached out to August before publishing its report, a company spokesperson provided the following statement: “The August team is aware of the vulnerability and is currently working to resolve the issue. At this time, we are not aware of any customer accounts affected.”