Vulnerability in August Smart Lock Pro+ Connect IoT door locks can reveal your Wi-Fi password


Internet of Things connected August Smart Lock Pro+ flaw can be exploited to reveal the homeowners’ Wi-Fi password

The Internet of Thing devices are around us everywhere. One such device is a smart lock made by a company called August. The August Smart Lock Pro+ smart locks provide efficient and smart door locking mechanism in which the doors can only be opened through a connected and verified smartphone. The August Smart Lock Pro+ can be added to your existing deadbolt by affixing it on the backside. Once attached, you can use an App in your smartphone to control your door to unlock/lock, grant guest access, see who came and left and let anyone in from anywhere.

Security esearchers at Bitdefender have found a vulnerability in the August Smart Lock Pro+ which can be exploited to reveal the homeowners’ Wi-Fi credentials. Bitdefender’s Alex Balan analyzed the latest version of August’s smart lock system which features built-in WiFi. The August Smart Lock Pro is activated by a mobile app; being within the given range, communication between the app and the device is initiated via Bluetooth Low Energy (BLE).  However, if the user is out of range, the app connects through the internet to the Connect bridge, which, in turn, controls the lock. The security team found that all commands between the devices are encrypted and “cannot be intercepted or modified.” In addition, the bridge to the Connect device only works if the user has an August lock registered to the account.

The problem comes with the Wi-Fi setup in August Smart Lock Pro+. Like every IoT device, the August smart lock needs a connection to the homeowner’s local Wi-Fi network. With no keyboard or other input device, you can’t just type in the username and password. Both devices use a common technique to manage the initial connection. You put the device in setup mode, which causes it to act as an access point. You connect to that access point using your smartphone. And the app passes the Wi-Fi login credentials to the device.

Internet of Things connected August Smart Lock Pro+ flaw can be exploited to reveal the homeowners' Wi-Fi password

However, the exchange of credentials between the smart lock and the smartphone is not protected in any way. An intruder listening into the network, even without logging in to the network, could capture the Wi-Fi credentials and thereby gain full access. The only pre-condition is that the potential hacker should be scanning the homeowners’ exchange at that very precise moment.
Bitdefender reached out to August in December 2019. The company responded with a joint disclosure proposal, although it stopped communicating with Bitdefender last June. In the absence of a response from the firm, the investigators decided to reveal the flaw, which has not been corrected. Finally, after public disclosure of this flaw, August released a patched firmware for the August Smart Lock Pro+
If you are using August Smart Lock Pro+, you should immediately upgrade your firmware to protect against the flaw.



About Author

"The Internet is the first thing that humanity has built that humanity doesn't understand, the largest experiment in anarchy that we have ever had." Eric Schmidt

Notify of
Inline Feedbacks
View all comments