A security loophole in at least one August-branded smart lock could let hackers access users' entire Wi-Fi network. That's based on recent reports from PCMag on the discovery, which was made by Bitdefender. The issue was reported to August way back in December. And the problem still isn't fixed, as of this writing.
Specifically, this vulnerability applies to August's Smart Lock Pro + Connect. And it relies on the way the underlying system works while the smart lock is being set up. But that doesn't necessarily mean it's impossible to implement. A hacker would simply need a bit of patience and the requisite knowledge to initiate a disconnect for the smart lock.
The latter of those steps, contrary to popular belief, isn't overly difficult to accomplish. It simply takes time and timing with these IoT devices. And then it takes more time since the attack relies on the smart lock's owner realizing its offline and going through setup again.
This problem is the result of poor encryption on this August Smart Lock
Now, this is an older smart lock from August. So there's a good chance the problem has been fixed in newer devices. But, that's going to come as no consolation to those who have August Smart Lock Pro + Connect installed. And the problem comes back to poor execution on encryption.
Namely, August built encryption into the system to prevent network snooping to snag a Wi-Fi password — which would allow deeper snooping. But that encryption isn't true encryption, at least not in the modern sense. Instead, it's been hard-coded directly into the device's firmware. And it's protected via a very simplistic ROT-13 method.
The method can best be described as effectively cycling — or rotating — through 13 characters rather than using something more random for the key. In effect, this is a means to attempt security through obscurity. Anybody who has taken any kind of courses or training on security can attest, obscurity is absolutely not security by any stretch of the imagination.
That means that a hacker can effectively force an August Smart Lock Pro + Connect offline, wait for the set-up process to start, and snag the encrypted key during that process.
August's response has been mixed
Now, as noted above, August was notified as of December. PCMag also managed to reach August for comment in the course of its investigation. The company was initially going to have the problem fixed in time for a mutual discloser with Bitdefender in June. But that fell through and the problem is reportedly still not fixed.
According to August, the team is "aware of the vulnerability and working to fix the issue." It also says it hasn't been made aware of any affected users. Although it's difficult to determine just how a user would notice, to begin with. Especially since it's their Wi-Fi network that has been compromised and not the smart lock.
The company also reiterated that it is, in fact, a difficult attack to implement. But it's response does sidestep the fact that Bitdefender was able to work out how to force setup to happen and take advantage of the vulnerability. This attack is reportedly only possible using Android for the setup. iOS devices are not impacted.