There is no question, smart door locks are incredibly handy. Features like unlocking the front door with a phone app, logging all entries and locking automatically when you leave the area are great. If you are dealing with the short term rental business then choosing the right smart lock then you can give tenants temporary access during their stay, without needing the cluttered business of exchanging house keys. Even though you may have a little worry in the back of your mind. Hackers actually got into Kanye West’s Twitter account. Maybe they could open your front door? If you are using the August Smart Lock Pro + Connect, that is not the problem. Your front door must remain locked, even if a heavy hacker crabs past singing, “Open Sesame!” That said, an unpatch security hole in this device means that hackers can gain full access to your Wi-Fi network, which could be its own kind of disaster.
PCMag has partnered with the Internet of Things security team at Bitdefender to answer just that kind of question. Bitdefender’s hacking team puts popular smart home devices to the test, looking for security holes that hackers could exploit. When detecting a problem, the team contacts the manufacturer, to allow time for a fix before the vulnerability is revealed. In the past, Ring has fixed a security issue with one of its smart doorbells that would have allowed a patient hacker to gain full access to the Wi-Fi network to which the device was connected. Belkin has also fixed a similar issue with its WeMo Smart Plug. When customers get a safer product, everyone wins.
Things happened a little differently in our research of the iBaby monitor. The Bitdefender team found a way for every camera owner to access images and videos from elk such a device. The company announced iBaby, without response. But after we published the news, iBaby wrote out a fix within a few days. That’s another win, albeit a delay.
How smart is the August lock for August?
For the final test round, the Bitdefender team, led by ethics hacking expert Alex “Jay” Balan, grew Smart Lock Pro + Connect in August. This one has been a favorite of ours in the past and when we checked it out in 2017, we earned our Editors’ Choice Badge. Augustus recently released a version with integrated Wi-Fi that also won an Editors’ Choice award. Released three years ago, the Pro edition is an older lock, but you can be sure that many of it has been installed on doors all over the country.
You control the lock with a smartphone app. When you are within range, communication is managed via Bluetooth Low Energy (BLE). If not, the app connects via the internet to the Connect bridge (which is where “+ Connect” comes from), which in turn controls the lock. The security team found that all commands between the devices were encrypted and “could not be intercepted or modified.” In addition, the bridge to the Connect device only works if the user has registered an August lock with the account.
Account access is secure and uses two-factor authentication. Only the owner has full control. Under the powers of the owner are the ability to give others full access, or just limited access. Without those access rights, hackers cannot open the door, period,. There’s only one small problem, one very similar to what we encountered with the Ring Video Doorbell …
Ring his solution
Like the Ring Video Doorbell, August needs a connection to your local Wi-Fi network. With no keyboard or other input device, you can simply not enter the username and password. Both devices use a common technique to manage the initial connection. You put the device in setup mode, which makes it act as an access point. You connect that access point to your smartphone. And the app passes the Wi-Fi login information to the device.
The Bitdefender team discovered a problem with this system. That exchange of references was in no way protected. An intruder who listens to the network, even without logging on to the network, was able to capture the Wi-Fi credentials and gain full access. Supposedly, the intruder should listen at the exact moment the exchange takes place, but the researchers found a way to force reconsideration of the references.
Implementing this hack would require a lot of patience. The hacker would have to find a place nearby to listen in on the Wi-Fi network, perhaps a parked car. The attack that forces the doorbell offline takes time. And the device does not reconnect until its owner notices that it is offline and initiates the exchange.
Ring quickly fixed the problem by adding encryption to the manual exchange references.
It is worth noting that a large number of IoT devices use a similar technique to connect to your Wi-Fi network. Any device that does not encode the reference switch would be vulnerable to this attack.
Security through obscurity never works
The developers made a good start in August with better handling of business. They built in encryption from the start so that a network snoop could not simply grab the Wi-Fi password, but they have hard-coded the encryption type in the device’s firmware.
They tried to hide it. According to Bitdefender, the key itself is encrypted with an extremely simple encoding called ROT-13, for rotating 13. Picture two disks with the 26 letters around the edge. Rotate one by 13 places. Now AN, B becomes O, and so on. It’s not exactly rocket science. The developers relied on the concealment of the key instead of actually protecting it.
For accurate details on what the team found, and how a hacker could steal your Wi-Fi network login information, you can read Bitdefender’s whitepaper or blog post on the subject.
Is it fixed? Well, no
Bitdefender reported this issue in August-December. August responded with a proposal for mutual revelation in June of 2020. After that, communication was broken into. Bitdefender tried to try again for a few months, but eventually chose to reveal the problem. Under responsible disclosure protocols, investigators who solve a problem typically give the company 90 days to make a fix. In this case, Bitdefender waited almost three times as long.
What could hackers do?
So, the bad news is that a very patient hacker could gain full access to your Wi-Fi network by using this security hole. I checked with Bitdefender’s Jay Balan for some thoughts on just how bad. “People believe that their networks at home are secure,” Balan noted. “All of us suffer from this bias. We all feel a bit secure because it is on our private network. As such, all of our security measures are extremely relaxed in our home networks.”
He went through certain specific scenarios. Network printers communicate without encryption or authentication, allowing an attacker to capture and export all the documents you print. If you are using a local area network Attached Storage (NAS) device for backups, the chances are good that it will get unprotected files for backup, giving the attacker full access again. By controlling the communication between IoT devices and other devices on the network, a hacker could gain control of those devices. Balan concluded, “By combining the comfort and security you feel on your private network at home with hacking techniques, hackers will have an easier time accessing social engineering users and stealing their online referrals, phishing attacks and so on. “
August’s answer
We contacted you in August about our plans to release this report, for comment. The first reaction emphasized August’s commitment to safety, stating, “Maintaining the privacy and security of our customers are top priorities for us, because they are the core of who we are as a company and how our products are made.. “But it was about describing the company’s response to a completely different issue, an issue based on hardware based on Spectra. Interestingly, the Black Hat presentation on Spectra did not mention August at all, and focused on vulnerable Macs and smartphones.
When we made our request for comment clearer, an August representative said, “The August team is aware of the vulnerability and is currently working to resolve the issue. At this time, we are not aware of any affected customer accounts.” This is encouraging, though not driven by the company’s interaction with the Bitdefender team. The representative also said, “The attacker must know exactly when the customer is setting up the Connect device. Once the Connect is fully configured, it is no longer vulnerable to this attack.”
That last part is not really true, considering the documented technique of the Bitdefender crew to force setup to happen on demand. The statement also said that only connectivity with Android devices will be affected, not iOS. Bitdefender confirmed that Apple’s improved security means that the attack does not actually work with an iOS device. And it is worth repeating that this vulnerability in no way gives an attacker control of the lock itself.
When you turn on the penetration of penetration test elk device, there’s a decent chance you’ll find a security hole. We do not blame August for the fact that an error occurred. However, we remain concerned about the company’s response. After eight months, the error is not fixed, and the company’s statement suggests an unsatisfactory understanding of what is wrong.
For more information on how to keep your branch home safe, read our manual.
