Vulnerabilities found in August Smart Lock allows anyone to access your WiFi network
August, Inc is a San Francisco home automation company, focusing on Wi-Fi connected door locks and doorbell cameras. The company was founded in November 2012 by Yves Béhar and Jason Johnson. As of July 2018, August Home had sold over one million smart locks and cameras. The Internet of Things security team from Bitdefender has found and reported a security hole in its August Smart lock device that allows hackers to access full control over the connected WiFi network.
As PCMag reported, The Internet of Things security team from Bitdefender is a group of experts that test popular smart home devices and find security flaws if available and informs the corresponding company about the flaw before reporting publically.
Smart Lock means the operation carried out by the product requires an internet connection and the same goes for the August Lock Pro + Connect requires a connection to your Wi-Fi network. These devices are made in such a way that they don’t support any input device, which forces them to use a “common technique” to receive the Wi-Fi login credentials.
As soon as the August Smart Lock Pro + Connect is turned in the setup mode, it acts as an access point. That allows you to connect and access the device with your phone, and the app sends the login credentials to the smart lock.
It was also learned that the device encrypts the login credentials with a simple cipher called ROT-13 for the encryption. ROT13 “rotate by 13 places”, sometimes hyphenated ROT-13 is a simple letter substitution cipher that replaces a letter with the 13th letter after it, in the alphabet. ROT13 is a special case of the Caesar cipher which was developed in ancient Rome. This makes it easy for hackers to steal the Wi-Fi network login credentials when the exchange takes place between the August Smart Lock Pro + Connect and your smartphone.
The August team is aware of the vulnerability and is currently working to resolve the issue. At this time, we are not aware of any customer accounts affected. The attacker must know precisely when the customer is setting up the Connect device. Once the Connect is fully set up, it is no longer vulnerable to this attack.
August representative said
For more news on tech and cybersecurity stay tuned on Android Rookies by subscribing to our newsletter from here.