There’s no question, smart door locks are incredibly convenient. Features like unlocking the front door with a phone app, logging all entries, and automatically locking up when you leave the area are great. If you’re engaged in the short-term rental business, choosing the right smart lock means you can give renters temporary access during their stay, with no need for the messy business of exchanging house keys. Even so, you might have just a little concern in the back of your mind. Hackers got into Kanye West’s Twitter account, after all. Maybe they could open your front door? If you use the August Smart Lock Pro + Connect, that's not the problem. Your front door should stay locked even if a whole hacker krewe marches past chanting, "Open Sesame!" That said, an unpatched security hole in this device means those hackers could gain full access to your Wi-Fi network, which could be its own kind of disaster.
PCMag has partnered with the Internet of Things security team at Bitdefender to answer just that sort of question. Bitdefender's hacking team puts popular smart home devices to the test, looking for security holes that hackers could misuse. On discovering a problem, the team contacts the manufacturer, to give it time for a fix before disclosing the vulnerability. In the past, Ring has fixed a security problem with one of its smart doorbells that would have allowed a patient hacker to gain full access to the Wi-Fi network to which the device was connected. Belkin likewise fixed a similar problem with its WeMo Smart Plug. When consumers get a more secure product, everybody wins.
Things happened a bit differently in our investigation of the iBaby monitor. The Bitdefender team found a way for any owner of the camera to get access to pictures and videos from every such device. The company notified iBaby, without response. But after we published the news, iBaby pushed out a fix within a few days. That’s another win, albeit a delayed one.
How Smart Is the August Smart Lock?
For the latest round of testing, the Bitdefender team, led by ethical hacking expert Alex “Jay” Balan, dug into the August Smart Lock Pro + Connect. This one has been a favorite of ours in the past and when we reviewed it in 2017, earned our Editors’ Choice badge. August recently released a version with integrated Wi-Fi that also won an Editors' Choice award. Released three years ago, the Pro edition is an older lock, but you can be sure there are plenty of them installed on doors all over the country.
You control the lock using a smartphone app. If you’re within range, communication is managed via Bluetooth Low Energy (BLE). If not, the app connects through the internet to the Connect bridge (that's where "+ Connect" comes from) which, in turn, controls the lock. The security team found that all commands between the devices are encrypted and “cannot be intercepted or modified.” In addition, the bridge to the Connect device only works if the user has an August lock registered to the account.
Access to the account is secured and uses two-factor authentication. Only the owner has full control. Among the owner’s powers are the ability to give others full access, or just limited access. Without that access permission, hackers can't open the door, period. There’s just one little problem, one very similar to what we encountered with the Ring Video Doorbell...
Ring’s Solution
Like the Ring Video Doorbell, August needs a connection to your local Wi-Fi network. With no keyboard or other input device, you can’t just type in the username and password. Both devices use a common technique to manage the initial connection. You put the device in setup mode, which causes it to act as an access point. You connect to that access point using your smartphone. And the app passes the Wi-Fi login credentials to the device.
Bitdefender’s team discovered a problem with this system. That exchange of credentials was not protected in any way. An intruder listening in to the network, even without logging in to the network, could capture the Wi-Fi credentials and thereby gain full access. Admittedly, the intruder must be listening at the exact moment the exchange takes place, but the researchers found a way to force reentry of the credentials.
Implementing this hack would take a lot of patience. The hacker would have to find a spot close enough to listen in on the Wi-Fi network, perhaps a parked car. The attack that forces the doorbell offline takes time. And the device doesn’t reconnect until its owner notices that it's offline and initiates the exchange.
Ring quickly fixed the problem by adding encryption to the credential hand off exchange.
It's worth noting that a vast number of IoT devices use a similar technique to connect with your Wi-Fi network. Any device that doesn't encrypt the credential exchange would be vulnerable to this attack.
Security Through Obscurity Never Works
The developers at August made a good start at handling things better. They built in encryption from the start, so a network snoop couldn’t simply grab the Wi-Fi password, but they hard-coded the encryption key in the device’s firmware.
They tried to hide it. According to Bitdefender, the key itself is encrypted using an extraordinarily simple cipher called ROT-13, for rotate 13. Picture two disks with the 26 letters around the edge. Rotate one by 13 places. Now A becomes N, B becomes O, and so on. It’s not exactly rocket science. The developers relied on obscuring the key rather than actually protecting it.
For precise details of what the team found, and how a hacker could steal your Wi-Fi networks login credentials, you can read Bitdefender’s whitepaper or blog post on the subject.
Is It Fixed? Well, No
Bitdefender notified August of this problem last December. August responded with a proposal for mutual disclosure to take place in June of 2020. After that, communication broke down. Bitdefender continued trying for a few more months, but eventually opted to disclose the problem. Under responsible disclosure protocols, researchers who find a problem typically give the company 90 days to devise a fix. In this case, Bitdefender waited almost three times as long.
What Could Hackers Do?
So, the bad news is that a very patient hacker could gain full access to your Wi-Fi network by using this security hole. I checked in with Bitdefender's Jay Balan for some thoughts on just how bad. "People believe their home networks are secure," noted Balan. "All of us suffer from this bias. All of us feel something is safe because it’s on our private network. As such, all our security measures are extremely relaxed in our home networks."
He went on to point out some specific scenarios. Network printers communicate without encryption or authentication, so an attacker could capture and exfiltrate any documents you print. If you use a local Network Attached Storage (NAS) device for backups, chances are good it receives unprotected files for backup, once again giving the attacker full access. By monitoring the communications between IoT devices and other devices on the network, a hacker could gain control of those devices. Balan concluded, "Combining the comfort and safety you feel on your home private network with hacking techniques, hackers will have an easier time trying to social engineer users and steal their online credentials, launch phishing attacks and so on."
August's Response
We contacted August with our plans to release this report, requesting comment. The initial response emphasized August's commitment to security, stating, "Maintaining our customers’ privacy and security are top priorities for us, as they are at the core of who we are as a company and how our products are created." But it went on to describe the company's response to a completely different problem, a hardware-based vulnerability dubbed Spectra. Interestingly, the Black Hat presentation on Spectra didn't mention August at all, focusing on vulnerable Macs and smartphones.
When we clarified our request for comment, an August representative stated, "The August team is aware of the vulnerability and is currently working to resolve the issue. At this time, we are not aware of any customer accounts affected." This is encouraging, though not borne out by the company's interaction with the Bitdefender team. The representative also said, "The attacker must know precisely when the customer is setting up the Connect device. Once the Connect is fully set up, it is no longer vulnerable to this attack."
That last part is not actually true, given the Bitdefender crew's documented technique for forcing setup to happen on demand. The statement also said that only connection with Android devices is affected, not iOS. Bitdefender confirmed that Apple's enhanced security means the attack indeed doesn't work with an iOS device. And it's worth reiterating that this vulnerability in no way gives an attacker control of the lock itself.
When you turn the spotlight of penetration testing on any device, there's a decent chance you'll find a security hole. We don't fault August for the mere fact that a flaw turned up. We do remain concerned by the company's response, however. After eight months the flaw hasn't been fixed, and the company's statement suggests an incomplete understanding of what's wrong.
For more information on how to keep your smart home safe, read our guide.
Like What You're Reading?
Sign up for SecurityWatch newsletter for our top privacy and security stories delivered right to your inbox.
This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.
Thanks for signing up!
Your subscription has been confirmed. Keep an eye on your inbox!
Sign up for other newsletters
