August Smart Lock Pro Connect Security Flaw Leaks Your Wi-Fi Credentials To Hackers
The folks at Bitdefender in conjunction with PCMag found a weakness in security during the setup process for the lock. During initial setup, the Smart Lock Pro + Connect acts in effect like an access point, and gains access to your wireless network using your smartphone (via the August app) as a gateway. You enter your login credentials through your smartphone, which are then passed on to the Smart Lock Pro + Connect.
While this setup process is simple enough for the end-user, the passing of your Wi-Fi credentials from your smartphone to the lock are not encrypted, which could leave them vulnerable to a snooping hacker lying in wait to infiltrate your network. However, the window of opportunity for leveraging this type of attack is incredibly small, as a homeowner (or renter) would typically only perform this setup one time. As a result, the attacker would need to be there at the precise moment that setup would occur, which would be a near impossibility.
However, Bitfender found that it’s possible to perform a separate attack that would force the Smart Lock Pro + Connect off your network, which would then require it to go through the setup process again. “The hacker would have to find a spot close enough to listen in on the Wi-Fi network, perhaps a parked car,” writes PCMag. “The attack that forces the doorbell offline takes time. And the device doesn’t reconnect until its owner notices that it's offline and initiates the exchange.”
If this attack vector sound similar, because nearly the exact same exploit was publicly acknowledged in Ring Video Doorbells back in November. Those smart devices were similarly sharing Wi-Fi credentials in cleartext during the setup process. Amazon worked with Bitdefender in that case to identify the cause and implement a solution, which involved encrypting the “handshake” between the smartphone and the doorbell during setup.
For its part, August issued the following statement:
The August team is aware of the vulnerability and is currently working to resolve the issue. At this time, we are not aware of any customer accounts affected. The attacker must know precisely when the customer is setting up the Connect device. Once the Connect is fully set up, it is no longer vulnerable to this attack.
It’s worth noting that the last statement is factually incorrect, as witnessed by the above-mentioned method of knocking the Smart Lock Pro + Connect offline, thereby requiring setup to be restarted is a lingering problem. We should also provide full disclosure that the exploit only works with the Android version of the August app, meaning that iOS devices aren’t affected. In addition, while this hack could provider attackers with access to your entire home network, it does not allow them to control the operation of the actual locking and unlocking of your doors.
Finally, August was first informed of this exploit in December 2019; it has yet to issue a fix.