Smart lock vulnerability gives hackers your WiFi password

Smart locks have become one of the most popular tools recently. With functions such as opening doors via a mobile app, registering any access, automatic blocking or temporary access, these devices are especially useful for home, business or tourist services, mentioned by specialists of an ethical hacking course.

While these devices are considered highly secure by the cybersecurity community in general, they are not exempt from having some flaws. Recent research detected an issue with the August Smart Lock Pro + Connected that would allow threat actors to obtain the user’s WiFi network password very easily, which could cause all kinds of disasters. The research was carried out by a team specialized in Internet of Things (IoT) of the firm Bitdefender, in collaboration with PCMag.

A slight flaw in this device

The research team, led by expert from an ethical hacking course Alex Balan, focused on analyzing the latest version of the smart padlock, which features built-in WiFi. The padlock is activated by a mobile app; being within the given range, a communication between the app and the device is initiated via Bluetooth Low Energy (BLE). If this protocol is not used, an Internet connection to the Connect bridge is initiated, which is responsible for controlling the padlock. These commands are encrypted and cannot be manipulated.

La imagen tiene un atributo ALT vacío; su nombre de archivo es august00.jpg

Similar to other IoT devices (such as Ring smart rings), the August Smart Lock requires a connection to the local WiFi network, which is managed by enabling the device’s “Settings” mode, which converts the lock to an access point. Login credentials are sent through the mobile app.

Ethical hacking course specialists discovered that this credential exchange process had no protection, so a threat actor could capture the login credentials of the target user’s WiFi network, gaining full access. The attack is somewhat complex, as the malicious hacker must be in a nearby location to intercept login credentials at the exact time the key exchange occurs.

Experts sent a report to August in December 2019. The company responded with a joint disclosure proposal, although August stopped communicating with Bitdefender last June. In the absence of a response from the firm, the investigators decided to reveal the flaw, which has not been corrected. Finally, after public disclosure of this flaw, August undertook to release the updates required to eliminate this flaw.