The vulnerability exists in the August smart lock Pro + Connect model which hasn’t been fixed despite continuous alerts from Bitdefender security researchers to the vendor.
There is no doubt technology has made our lives easier, but it has also made us vulnerable to cyber-attacks. Seemingly, the Bitdefender IoT vulnerability research team has discovered a vulnerability (CVE-2019-17098) in the August Smart lock pro + connect, that if exploited can provide threat actors full access to your Wi-Fi network.
Packed with spiffy and innovative features, August Smart lock pro + connect allows users to control their home’s main door or elsewhere. This includes the owner to unlock/lock the door with just a tap, grant access to guests, and also supervise who enters or leaves their house amongst other features.
This is why smart locks as such are a huge hit in the rental business. There is no hassle to exchange keys or be concerned about manual locks being broken into. But despite being one of the best sellers in the physical security context, August smart lock Pro + Connect falls invariably short.
The device in question cannot directly connect to the internet be it wireless or wired, as it lacks the necessary hardware. So, when the user is within the range the lock can be controlled via Bluetooth Low Energy (BLE).
In order to manage it remotely, the August app forms a + Connect Wi-Fi bridge that establishes a link with the internet, imparting to and fro commands by the user that controls the smart lock.
However, in this case, the commands between the devices are rather encrypted with Transport Layer Security (TLS) which cannot be modified or exploited in any way. In addition to this, the August connect link with the wireless network can only be configured if the owner has a lock registered to their account.
Users gain access to the account via two-factor authentication therefore owners have full authority. They can either grant full or limited access to guests, receive instant notifications, and check status.
For this to work, the August smart lock pro + connect requires a connection to the user’s Wi-Fi network. With no keyboard/input device available, August uses a common technique to ensue connection. The device is put into a setup mode that acts as an access point enabling a link with the smartphone.
Subsequently, the application then communicates the Wi-Fi login credentials to the smart lock. This communication is open (not encrypted) which makes it vulnerable to attack.
It is noteworthy, that the device’s firmware encrypts the login credentials. The report [PDF] mentions:
The encryption scheme used is AES/CBC with the encryption key hardcoded in the smartphone app, although obfuscated using ROT13.
The ROT13 is a simple cipher that can easily be deciphered by a hacker in close proximity. But the likelihood of this happening requires a lot of patience.
Bitdefender after discovering the vulnerability contacted August last December. The latter did respond with plans for full disclosure in June 2020. Somehow, this did not happen and Bitdefender decided to reveal their findings to the public.
● Dec 09, 2019: Initial contact with the affected vendor. PGP keys are exchanged
● Dec 10, 2019: Vendor receives a copy of the report in advance
● Dec 18, 2019: Information is sent once again to the affected vendor
● Dec 18, 2019: Vulnerability confirmed
● Dec 18, 2019: Bitdefender reserves CVE-2019-17098
● May 11, 2020: Vendor requests coordinated pubic disclosure to be scheduled in early June 2020
● Jan 16, 2020: Bitdefender requests an update
● Jul 02, 2020: Bitdefender requests another update in preparation of public disclosure
● Aug 6, 2020: Bitdefender has not heard back from the vendor, the report becomes public.