Smart Locks Not So Smart with Wi-Fi Security

The rise of online property rental in an increasingly competitive sharing economy has had a severe impact on the adoption of Internet-connected smart locks. Packed with features that allow landlords to issue and revoke access by electronically sharing a token or pin code during booking, intelligent locks have managed to eliminate meeting strangers or using key drops.

Unlike most IoT devices, smart locks are physical security boundaries, products originating from top lock companies are preferred to generic brands. But do these devices made by lock companies that made history in the evolution of the modern lock live up to their digital promise?

This article – part of a series developed in partnership with PCMag – aims to shed light on the security of the world’s best-sellers in IoT. PCMag contacted the research team at Bitdefender and asked us to look at several popular devices, including the August Smart Lock and Connect Wi-Fi Bridge. More information is available in this article published on our partner’s website.

Key findings – CVE-2019-17098

The  Bitdefender  IoT  Vulnerability  Research  Team  discovered  that  the  device  talks  with  the  configuration  application  on the smartphone in an encrypted manner, but the encryption key is hardcoded into the app. This allows a potential attacker within range to eavesdrop on the traffic and intercept the Wi-Fi password. While this attack would NOT allow a hacker to unlock the front door, it would let them mount additional attacks against the home network.

This vulnerability is similar to the one identified in the Ring Video Doorbell Pro.

Download the whitepaper