Vulnerability with Smart Lock could give hackers full access to Wi-Fi networks

When you are using a wireless door lock and August Pro + Connect wireless lock, please remember that the unpatched security flaw in the door lock means hackers can totally access your Wi-Fi network.

Firstly, the August smart lock Pro + Connect door lock allows users to control the house door or other places. With a single push, the homeowner will open / lock the door. This will also allow visitors entry and monitor other people going in or out of the house.

The device can’t connect directly to the Internet because of the lack of necessary hardware. Therefore, if the device is within a certain range, it can be locked by regulation of Bluetooth Low Energy (BLE). The August program creates a + Connect Wi-Fi bridge to create a link to the Internet to satisfy the needs of remote management, and then the person who manages the smart lock transmits commands back and forth.
However, in this case, the commands between devices are encrypted with Transport Layer Security (TLS) and cannot be modified or utilized in any way. In addition, the August connection to the wireless network can only be configured if the owner has registered a lock in his account. The user gains access to the account through two-step verification , so the owner has full permissions, can grant visitors full or limited access, receive instant notifications and check status.

August Smart Lock Pro+ Connect will of course connect to the user’s Wi-Fi network to accomplish these functions. August uses a common technique to ensure connectivity, in the absence of a keyboard / input device available. The device enters the setting mode and acts as an access point to allow smartphone connection. The program must then transfer the Wi-Fi authentication credentials to the smart lock but this link is transparent (unencrypted) and hence vulnerable to attacks. It is worth noting that although the device’s firmware encrypts the login credentials, it uses ROT13, a simple password that nearby hackers can easily crack.


Finally, I have to mention the process from discovery to disclosure of vulnerabilities:

December 9, 2019: Initial contact with affected suppliers and exchange of PGP keys

December 10, 2019: Supplier receives a copy of the report in advance

December 18, 2019: The information is sent to the affected suppliers again

December 18, 2019: Vulnerability confirmed

December 18, 2019: CVE-2019-17098

May 11, 2020: Suppliers request to arrange disclosure of information in early June 2020

January 16, 2020: Bitdefender prepares to update

July 2, 2020: Bitdefender prepares for another update

August 6, 2020: Bitdefender did not receive a response from the vendor and disclosed the vulnerability.