Smart home devices are all about convenience. But anytime you add a new smart device to your home, you also introduce potential vulnerabilities. U-Tech locks, which could be unlocked remotely by hackers, demonstrates that fact. Researchers in a partnership between PCMag and Bitdefender found a flaw in August’s smart lock, and while hackers can’t use it to open your door, they can access your home network.
The issue at hand doesn’t affect all August locks, just the August Smart Lock Pro + Connect. It’s the + Connect bit that leads to the trouble. The August Smart Lock Pro has been around for three years and is a popular choice among August fans. But the unit itself doesn’t have Wi-Fi built-in, you can only control it through Bluetooth. If you want remote access, you need to add the Connect bridge, which provides a Wi-Fi connection.
That’s not uncommon for smart locks or other similar devices, and how you connect the bridge to the August Smart Lock isn’t uncommon either. Since it doesn’t have a keypad or touchscreen, you can’t just plug in your Wi-Fi details direct. Instead, the bridge will broadcast a Wi-Fi connection; you’ll connect with your smart device and provide your Wi-Fi credentials.
The good news is, August wisely encrypted that communication process. Merely listening to the network won’t grant you the credentials. The bad news is, August hardwired that encryption into the firmware, and it used relatively weak encryption.
As PCMag put it, August relied on “obscuring the encryption, rather than protecting it.” The hackers can break through that, and listen to when you pass your Wi-Fi credentials to your August bridge.
While that sounds like a limited window, Bitdefender previously demonstrated a technique to knock a similar bridge off the network. That’d lead the user to go through the pairing process again. So a hacker with enough patience could force you to re-enter your credentials during a time-window they’re listening.
Bitdefender notified August of the problem in December 2019, and as of now, the company hasn’t fixed the problem. Bitdefender typically gives a 90-day window to address an issue before going public, but at this point, the security researchers have waited three times as long.
That’s unfortunate, especially for a smart home company that makes products specifically designed for security. While it’s true hackers can’t open your locks, they can use the flaw to access your home network, and that’s nearly as bad. They could access nearly any device on your network, including NAS units or your printing queue. In theory, they might even access security cameras.
Hopefully, August will patch the problem sooner than later. In a statement to PCMag, August said: “The August team is aware of the vulnerability and is currently working to resolve the issue. At this time, we are not aware of any customer accounts affected.”
If and when August patches the issue, we’ll update this article with that information.
via PCMag, Bitdefender