Smart Locks Not So Smart with Wi-Fi Security

The rise of online property rental in an increasingly competitive sharing economy has had a severe impact on the adoption of Internet-connected smart locks. Packed with features that allow landlords to issue and revoke access by electronically sharing a token or pin code during booking, intelligent locks have managed to eliminate meeting strangers or using key drops.
Unlike most IoT devices, smart locks are physical security boundaries, products originating from top lock companies are preferred to generic brands. But do these devices made by lock companies that made history in the evolution of the modern lock live up to their digital promise?
This article – part of a series developed in partnership with PCMag – aims to shed light on the security of the world’s best-sellers in IoT. PCMag contacted the research team at Bitdefender and asked us to look at several popular devices, including the August Smart Lock and Connect Wi-Fi Bridge. More information is available in this article published on our partner’s website.
Key findings – CVE-2019-17098
The Bitdefender IoT Vulnerability Research Team discovered that the device talks with the configuration application on the smartphone in an encrypted manner, but the encryption key is hardcoded into the app. This allows a potential attacker within range to eavesdrop on the traffic and intercept the Wi-Fi password. While this attack would NOT allow a hacker to unlock the front door, it would let them mount additional attacks against the home network.
This vulnerability is similar to the one identified in the Ring Video Doorbell Pro.
tags
Author
Right now
Top posts
Vulnerabilities Identified in Wyze Cam IoT Device
March 29, 2022
New FluBot and TeaBot Global Malware Campaigns Discovered
January 26, 2022
Bitdefender Honeypots Signal Active Log4Shell 0-Day Attacks Underway; Patch Immediately
December 10, 2021
Bitdefender, Law Enforcement Partnership Saves REvil Victims Half a Billion in Ransom Demand
November 08, 2021
Bitdefender Offers Free Universal Decryptor for REvil/Sodinokibi Ransomware
September 16, 2021
LuminousMoth – PlugX, File Exfiltration and Persistence Revisited
July 21, 2021