August Smart Lock Keeps Your House Safe But Not Your Wi-Fi Password

The August Smart Lock won’t let people through the door, but a skilled hacker can find out the victim’s Wi-Fi password. Physical privacy is protected, but people’s digital lives are exposed.

Smart locks are a great addition to personal security, as they free people from the burden of carrying keys. The hospitality industry is also a great beneficiary, with establishment owners able to choose, with just a few taps on their phones, who can enter their property.

Like any other electronic system, the August Smart Lock needs to be secure. Any vulnerability would expose many people. Fortunately, the August Smart Lock is not directly connected to the Internet. It uses the Connect Wi-Fi Bridge for this functionality.

Bitdefender partnered with PCMag and investigated a number of smart devices in the past year, including the August Smart Lock. While the investigation didn’t uncover a way to disable the lock and grant entry to an intruder, it did find that, with the right tools, a hacker can find out your Wi-Fi password.

“The Bitdefender IoT Vulnerability Research Team discovered that the device talks with the configuration application on the smartphone in an encrypted manner, but the encryption key is hardcoded into the app,” says a whitepaper detailing the issue. “This allows a potential attacker within range to eavesdrop on the traffic and intercept the Wi-Fi password.”

The situation is only possible because the Connect Wi-Fi Bridge that talks to the lock has the encryption key hardcoded. The developer obfuscates communication using AES/CBC encryption, but that’s useless when the hacker directly accesses the encryption key.

The good news is that only a criminal with highly technical knowledge can go through the process. But now that the details on how it’s done are in plain sight, automation tools could be developed, making the process much simpler.

Bitdefender follows the rules of responsible disclosure, so we initially contacted the company on December 9, 2019. The makers of the lock acknowledged the vulnerability, and Bitdefender reserved CVE-2019-17098 a few days later. The coordinated public disclosure was scheduled for June 2020. Unfortunately, the vendor stopped answering messages, so we went public with the discovery.

For a more detailed account of the vulnerability, you can check out the whitepaper.