Cracking the August SmartLock: WiFi Password Eavesdropping Made Easy

Foreword

The rise of online property rental in an increasingly competitive sharing economy has had a significant impact on the adoption of Internet-connected smart locks. Packed with features that allow landlords to issue and revoke access by electronically sharing a token or PIN code during booking, smart locks have managed to eliminate the need to meet strangers or use key drops.

Unlike most IoT devices, smart locks create physical security boundaries, and products from top lock companies are preferred to generic brands. But do the devices made by lock companies that made history in the evolution of the modern lock live up to their digital promise?

This article – part of a series developed in partnership with PCMag – aims to shed light on the security of the world’s best-sellers in the IoT space. PCMag asked the research team at Bitdefender to look at several popular devices, including the August Smart Lock and ConnectWi-Fi Bridge. More information is available in the article published on our partner’s website.

Vulnerabilities at a glance

The Bitdefender IoT Vulnerability Research Team discovered that the device talks with the configuration application on the smartphone in an encrypted manner, but the encryption key is hardcoded into the app. This allows a potential attacker within range to eavesdrop on the traffic and intercept the Wi-Fi password.

This vulnerability is similar to the one identified in the Ring Video Doorbell Pro.

Disclosure timeline

• Dec 09, 2019: Initial contact with the affected vendor. PGP keys are exchanged
• Dec 10, 2019: Vendor receives a copy of the report in advance
• Dec 18, 2019: Information is sent once again to affected vendor
• Dec 18, 2019: Vulnerability confirmed
• Dec 18, 2019: Bitdefender reserves CVE-2019-17098
• May 11, 2020: Vendor requests coordinated pubic disclosure to be scheduled in early June 2020
• Jan 16, 2020: Bitdefender requests an update
• Jul 02, 2020: Bitdefender requests another update in preparation of public disclosure
• Aug 6, 2020: As we have not heard back from the vendor, the report becomes public

Download the whitepaper to find out more.