Home
>
Announcements
>
Topic
August Smart Lock Flaw Opens Your Wi-Fi Network to Hackers
Posted by xysoom
|
August Smart Lock Flaw Opens Your Wi-Fi Network to Hackers January 18, 2022 03:42AM | Registered: 3 years ago Posts: 1,065 |
August Smart Lock Flaw Opens Your Wi-Fi Network to Hackers
There’s no question, smart door locks are incredibly convenient. Features like unlocking the front door with a phone app, logging all entries, and automatically locking up when you leave the area are great. If you’re engaged in the short-term rental business, choosing the right smart lock means you can give renters temporary access during their stay, with no need for the messy business of exchanging house keys. Even so, you might have just a little concern in the back of your mind. Hackers got into Kanye West’s Twitter account, after all. Maybe they could open your front door? If you use the August Smart Lock Pro + Connect, that's not the problem. Your front door should stay locked even if a whole hacker krewe marches past chanting, "Open Sesame!" That said, an unpatched security hole in this device means those hackers could gain full access to your Wi-Fi network, which could be its own kind of disaster.To get more news about home security products, you can visit securamsys.com official website.
PCMag has partnered with the Internet of Things security team at Bitdefender to answer just that sort of question. Bitdefender's hacking team puts popular smart home devices to the test, looking for security holes that hackers could misuse. On discovering a problem, the team contacts the manufacturer, to give it time for a fix before disclosing the vulnerability. In the past, Ring has fixed a security problem with one of its smart doorbells that would have allowed a patient hacker to gain full access to the Wi-Fi network to which the device was connected. Belkin likewise fixed a similar problem with its WeMo Smart Plug. When consumers get a more secure product, everybody wins.
Things happened a bit differently in our investigation of the iBaby monitor. The Bitdefender team found a way for any owner of the camera to get access to pictures and videos from every such device. The company notified iBaby, without response. But after we published the news, iBaby pushed out a fix within a few days. That’s another win, albeit a delayed one.For the latest round of testing, the Bitdefender team, led by ethical hacking expert Alex “Jay” Balan, dug into the August Smart Lock Pro + Connect. This one has been a favorite of ours in the past and when we reviewed it in 2017, earned our Editors’ Choice badge. August recently released a version with integrated Wi-Fi that also won an Editors' Choice award. Released three years ago, the Pro edition is an older lock, but you can be sure there are plenty of them installed on doors all over the country.
You control the lock using a smartphone app. If you’re within range, communication is managed via Bluetooth Low Energy (BLE). If not, the app connects through the internet to the Connect bridge (that's where "+ Connect" comes from) which, in turn, controls the lock. The security team found that all commands between the devices are encrypted and “cannot be intercepted or modified.” In addition, the bridge to the Connect device only works if the user has an August lock registered to the account.Access to the account is secured and uses two-factor authentication. Only the owner has full control. Among the owner’s powers are the ability to give others full access, or just limited access. Without that access permission, hackers can't open the door, period.
Like the Ring Video Doorbell, August needs a connection to your local Wi-Fi network. With no keyboard or other input device, you can’t just type in the username and password. Both devices use a common technique to manage the initial connection. You put the device in setup mode, which causes it to act as an access point. You connect to that access point using your smartphone. And the app passes the Wi-Fi login credentials to the device.
Bitdefender’s team discovered a problem with this system. That exchange of credentials was not protected in any way. An intruder listening in to the network, even without logging in to the network, could capture the Wi-Fi credentials and thereby gain full access. Admittedly, the intruder must be listening at the exact moment the exchange takes place, but the researchers found a way to force reentry of the credentials.
Implementing this hack would take a lot of patience. The hacker would have to find a spot close enough to listen in on the Wi-Fi network, perhaps a parked car. The attack that forces the doorbell offline takes time. And the device doesn’t reconnect until its owner notices that it's offline and initiates the exchange.
There’s no question, smart door locks are incredibly convenient. Features like unlocking the front door with a phone app, logging all entries, and automatically locking up when you leave the area are great. If you’re engaged in the short-term rental business, choosing the right smart lock means you can give renters temporary access during their stay, with no need for the messy business of exchanging house keys. Even so, you might have just a little concern in the back of your mind. Hackers got into Kanye West’s Twitter account, after all. Maybe they could open your front door? If you use the August Smart Lock Pro + Connect, that's not the problem. Your front door should stay locked even if a whole hacker krewe marches past chanting, "Open Sesame!" That said, an unpatched security hole in this device means those hackers could gain full access to your Wi-Fi network, which could be its own kind of disaster.To get more news about home security products, you can visit securamsys.com official website.
PCMag has partnered with the Internet of Things security team at Bitdefender to answer just that sort of question. Bitdefender's hacking team puts popular smart home devices to the test, looking for security holes that hackers could misuse. On discovering a problem, the team contacts the manufacturer, to give it time for a fix before disclosing the vulnerability. In the past, Ring has fixed a security problem with one of its smart doorbells that would have allowed a patient hacker to gain full access to the Wi-Fi network to which the device was connected. Belkin likewise fixed a similar problem with its WeMo Smart Plug. When consumers get a more secure product, everybody wins.
Things happened a bit differently in our investigation of the iBaby monitor. The Bitdefender team found a way for any owner of the camera to get access to pictures and videos from every such device. The company notified iBaby, without response. But after we published the news, iBaby pushed out a fix within a few days. That’s another win, albeit a delayed one.For the latest round of testing, the Bitdefender team, led by ethical hacking expert Alex “Jay” Balan, dug into the August Smart Lock Pro + Connect. This one has been a favorite of ours in the past and when we reviewed it in 2017, earned our Editors’ Choice badge. August recently released a version with integrated Wi-Fi that also won an Editors' Choice award. Released three years ago, the Pro edition is an older lock, but you can be sure there are plenty of them installed on doors all over the country.
You control the lock using a smartphone app. If you’re within range, communication is managed via Bluetooth Low Energy (BLE). If not, the app connects through the internet to the Connect bridge (that's where "+ Connect" comes from) which, in turn, controls the lock. The security team found that all commands between the devices are encrypted and “cannot be intercepted or modified.” In addition, the bridge to the Connect device only works if the user has an August lock registered to the account.Access to the account is secured and uses two-factor authentication. Only the owner has full control. Among the owner’s powers are the ability to give others full access, or just limited access. Without that access permission, hackers can't open the door, period.
Like the Ring Video Doorbell, August needs a connection to your local Wi-Fi network. With no keyboard or other input device, you can’t just type in the username and password. Both devices use a common technique to manage the initial connection. You put the device in setup mode, which causes it to act as an access point. You connect to that access point using your smartphone. And the app passes the Wi-Fi login credentials to the device.
Bitdefender’s team discovered a problem with this system. That exchange of credentials was not protected in any way. An intruder listening in to the network, even without logging in to the network, could capture the Wi-Fi credentials and thereby gain full access. Admittedly, the intruder must be listening at the exact moment the exchange takes place, but the researchers found a way to force reentry of the credentials.
Implementing this hack would take a lot of patience. The hacker would have to find a spot close enough to listen in on the Wi-Fi network, perhaps a parked car. The attack that forces the doorbell offline takes time. And the device doesn’t reconnect until its owner notices that it's offline and initiates the exchange.
Sorry, only registered users may post in this forum.