Internet of Things connected August Smart Lock Pro+ flaw can be exploited to reveal the homeowners’ Wi-Fi password
The Internet of Thing devices are around us everywhere. One such device is a smart lock made by a company called August. The August Smart Lock Pro+ smart locks provide efficient and smart door locking mechanism in which the doors can only be opened through a connected and verified smartphone. The August Smart Lock Pro+ can be added to your existing deadbolt by affixing it on the backside. Once attached, you can use an App in your smartphone to control your door to unlock/lock, grant guest access, see who came and left and let anyone in from anywhere.
Security esearchers at Bitdefender have found a vulnerability in the August Smart Lock Pro+ which can be exploited to reveal the homeowners’ Wi-Fi credentials. Bitdefender’s Alex Balan analyzed the latest version of August’s smart lock system which features built-in WiFi. The August Smart Lock Pro is activated by a mobile app; being within the given range, communication between the app and the device is initiated via Bluetooth Low Energy (BLE). However, if the user is out of range, the app connects through the internet to the Connect bridge, which, in turn, controls the lock. The security team found that all commands between the devices are encrypted and “cannot be intercepted or modified.” In addition, the bridge to the Connect device only works if the user has an August lock registered to the account.
The problem comes with the Wi-Fi setup in August Smart Lock Pro+. Like every IoT device, the August smart lock needs a connection to the homeowner’s local Wi-Fi network. With no keyboard or other input device, you can’t just type in the username and password. Both devices use a common technique to manage the initial connection. You put the device in setup mode, which causes it to act as an access point. You connect to that access point using your smartphone. And the app passes the Wi-Fi login credentials to the device.