UPDATED with comment from August, Inc.
Security researchers have discovered yet another internet-connected smart lock with a serious security flaw.
According to Romanian cybersecurity firm Bitdefender, a vulnerability found in the August Smart Lock Pro and its Connect Wi-Fi bridge could let hackers grab the access password to your home Wi-Fi network, and from there get into your network and possibly mount local attacks on your devices.
The flaw does not appear to have been fixed. Tom's Guide has reached out to August for comment and we will update this story when we receive a reply.
- Best VPN: add an extra layer of security with a virtual private network
- The best antivirus software to keep you and your devices safe
- Just In: Trump enacts TikTok ban - what to know about the executive order
Compromised device
Bitdefender's researchers said in a blog post that the flaw gives hackers “unprecedented access to any home with this kind of lock” and explained how it is “similar to the one identified in Amazon's Ring Video Doorbell Pro.”
As noted by the researchers, the August Smart Lock Pro can't connect to a Wi-Fi network by itself. So it relies on an additional device, the August Connect Wi-Fi Bridge, to access the internet.
The researchers explained that the Connect acts “as a gateway”, communicating with the Smart Lock Pro via the Bluetooth Low Energy (BLE) protocol.
“The bridge connects to the local wireless network and acts as a relay, making it possible for the user to remotely control the lock over the internet," says the associated Bitdefender white paper on the flaw. "Every request between the bridge and the servers is encrypted with TLS and cannot be intercepted or modified due to certificate pinning.”
The August Smart Lock Pro itself is controlled by a mobile app and can detect when a previously Bluetooth-paired smartphone is in range.
“The August Smart Lock [Pro] is paired to the smartphone and always communicates through BLE when nearby," said the white paper. "August Connect talks to the local wireless network and is configured to work only if the user has a lock registered to their account."
Flawed encryption
So far, so good. But while the August Smart Lock Pro talks to both the Connect Wi-Fi Bridge and the user's smartphone app via BLE, the Connect Wi-Fi Bridge itself doesn't seem to be able to use Bluetooth to connect directly to the smartphone app.
This creates a problem. The Connect Wi-Fi Bridge needs to connect to your Wi-Fi network to do its job, but it doesn't have your Wi-Fi network's access password, and there's no interface on the Connect Bridge where you could type in the password.
So how do you give the Connect Bridge your home Wi-Fi password? By connecting your phone, with the August Smart Lock app installed, directly to a temporary, password-free, completely open, completely unsecure Wi-Fi network that the Connect Bridge creates during the setup process.
“To receive the required credentials, the bridge creates an open access point that the mobile phone would connect to," Bitdefender explains. "The app will then use the API provided by the device to require additional information and send the local network credentials."
But the researchers warned that "this approach has some flaws."
Namely, you don't want to send the password to an encrypted Wi-Fi network over a completely unencrypted Wi-Fi network. That would let anyone else who jumped onto the bridge's temporary Wi-Fi network during the setup process grab the password to the encrypted network right out of the air. Many other smart-home devices have had, and still have, this flaw.
You might think that a setup process that takes only a few minutes to complete doesn't give an attacker a very large window of opportunity. In practice, however, it's pretty easy to knock a specific device off a Wi-Fi network, after which the user would likely try to start the setup process all over again.
Giving away the key
It's time to give the August Smart Lock Pro's designers some credit here. They came up with a solution to encrypt the Wi-Fi password as it was transmitted between the August Smart Lock app and the Connect Bridge so that attackers couldn't just grab the password out of the air.
Unfortunately, their encryption seems to have been rather poorly thought out. If the attacker happens to have the August Smart Lock app installed on their own phone or laptop (via emulation), then it's game over.
Bitdefender explained that the “encryption key is hardcoded into the app” and that hackers can exploit this to “listen in” and “gain access to the user’s WiFi password”.
Anyone else who has the August Smart Lock app installed and is listening in on the temporary network created by the Connect Bridge during the setup will be able to decode the user's Wi-Fi access password as it's transmitted to the Connect Bridge.
And bingo! The attackers now have free rein inside your wireless network and can try to break into your connected devices.
“As a result, they can do anything from compromising the router and stealing data from connected devices, through to streaming content on household TVs,” warned the Bitdefender press release in more than a bit of hyperbole.
In truth, getting the access password to a Wi-Fi network just means you can see other devices on the network. It doesn't give you administrative rights on the router, and it doesn't mean you can automatically do any of the other dastardly deeds Bitdefender mentions in the paragraph above.
Each of those attacks would be completely separate from this rather routine smart-lock exploit. But local network access would make each of those attacks a good deal easier to achieve.
What to do
After discovering the flaw late last year (it had been asked to examine the August Smart Lock Pro by PC Magazine), Bitdefender reported it to August in December 2019. August requested a joint disclosure in June 2020, presumably after the flaw had been fixed, and well past the standard 90-day public-disclosure window that is common with these sorts of vulnerabilities.
But the cybersecurity firm claims that it had not heard from August since May 2020. So it decided to publish the report without the support of the manufacturer, and presumably before the flaw had been fixed.
Alex Balan, chief security researcher at Bitdefender, recommends: “Nothing endangers your security and privacy like vulnerable internet-connected devices. Before adding a new device to the network it’s important to properly research the vendor and how often they release security patches and updates. Make sure also that you can manage the device's security settings.
“Changing default passwords for devices, closing off port forwarding in routers, and even disabling potentially vulnerable protocols in routers, such as UPnP (Universal Plug and Play), should be part of everyone’s security checklist. Having a security solution capable of protecting IoTs from online attackers is more than recommended if you want to keep your data secure and privacy private.”
We'll add one more recommendation: If your router allows you to create a guest Wi-Fi network that is segregated from or entirely separate from your primary Wi-Fi network, then put your smart-home devices on the guest network so that attackers who break in can't touch the computers, printers and other important devices on the primary network.
Update: August responds
August, Inc., responded to our request for comment with this statement, in full:
"The August team is aware of the vulnerability outlined by PCMag and Bitdefender and is actively working to resolve the issue. As of August 7, 2020, security updates are in production for both the firmware in the device and the Android app.
We are unable to confirm the claim put forward by Bitdefender and PCMag that states an attacker can force the Connect Wi-Fi Bridge back into setup mode once set up. If a customer believes their Wi-Fi network has been compromised, we recommend changing their password once the Connect device has been set up. Once the Connect is set up, it is no longer vulnerable.
It’s important to note that there are very specific circumstances and an extremely narrow window of time where this vulnerability is valid: The August owner must be using the Android app to set up the Connect and the attacker must know precisely when the customer is setting up the Connect device. This vulnerability is not valid on iOS.
At this time, August is still not aware of any customers affected by this vulnerability and this vulnerability does not affect the new August Wi-Fi Smart Lock nor any lock without a Connect."
- More: Stay safer at home with the best smart locks
