When it comes to smart lock security, users often worry that a hacker could compromise a device’s built-in security to gain access to their home. However, Bitdefender discovered a new vulnerability in the August Smart Lock Pro + Connect that could allow a hacker full access to a user’s entire Wi-Fi network.
PCMag has partnered with Bitdefender’s IoT security team to gain insight into the security flaws affecting smart home devices and the news release has released a new report on the case, while the security company has published a white paper entitled ‘Cracking the August SmartLock: WiFi Password Eavesdropping Made Easy ”.
In the latest round of IoT device testing, the company’s security team led by Alex “Jay” Balan decided to review the August Smart Lock Pro + Connect to see if there were any vulnerabilities in the device. The smart lock is controlled with a smartphone app that connects to the device using Bluetooth Low Energy (BLE) when it is in range or over the internet when a user is away from home.
The Bitdefender security team found that all commands between the app and the smart lock are encrypted and “cannot be intercepted or modified”. In addition, the August Connect Bridge only works if a user has registered an August lock on their account.
Vulnerability for smart lock
The August Smart Lock Pro + Connect must connect to a user’s local Wi-Fi network in order to function. To configure the device, users need to put their smart lock in setup mode, which makes it act as an access point and the app forwards their Wi-Fi login information to the device.
However, the Bitdefender team discovered a problem with this system, because the references are not protected in any way during this exchange. This means that a hacker listening to the network could catch these references and gain full access to a user’s network. The hacker would have to spy on the network at the exact moment the exchange was taking place to steal the references of a network, but the researchers could find a way to force the references again.
August built coding into their app so that a hacker who snaps on a Wi-Fi network could not steal these references. However, the company has hard-coded the encryption key in the firmware of their smart lock. According to Bitdefender, the key is encrypted with a very simple number called ROT-13.
Bitdefender informed August of its findings December and the hardware maker responded with a proposal for mutual disclosure that was set to take place in June of this year. However, communication between the two companies broke down and Bitdefender decided to disclose the vulnerability itself after a period of 90 days in which August was able to make the necessary fixes to its smart lock.
When PCMag reached by August before publishing the report, a spokeswoman issued the following statement: ‘The August team is aware of the vulnerability and is currently working to resolve the issue. At this time, we are not aware of any relevant client accounts. “
Via PCMag
