Smart home appliances are all about convenience. But when you add a new smart device to your home, you also introduce potential vulnerabilities. U-Tech locks, which can be remotely locked by hackers, show the fact. Researchers in a partnership between PCMag and Bitdefender found a flaw in August̵7;s smart locks, and while hackers can not use it to open your door, they can access your home network.
The current problem does not affect all August locks, only August Smart Lock Pro + Connect. It is the + Connect bit that leads to problems. August Smart Lock Pro has been around for three years and is a popular choice among fans in August. But the device itself does not have built-in Wi-Fi, you can only control it via Bluetooth. If you want remote access, you need to add the Connect bridge, which provides a Wi-Fi connection.
This is not uncommon for smart locks or other similar devices, and how to connect the bridge to the Augusti Smart Lock is not uncommon either. Because it does not have a keypad or touch screen, you can not just connect your Wi-Fi details directly. Instead, the bridge will send a Wi-Fi connection; connect to your smart device and provide your Wi-Fi credentials.
The good news is that August wisely encrypted that communication process. Just listening to the network does not give you references. The bad news is that August hardwired that encryption to firmware, and it used relatively weak encryption.
As PCMag put it, August relied on “hiding the encryption, rather than protecting it.” Hackers can break through and listen when you send your Wi-Fi credentials to your August bridge.
While it sounds like a limited window, Bitdefender previously demonstrated a technique for hitting a similar bridge from the network. This would lead the user to go through the pairing process again. So a hacker with enough patience can force you to enter your references during a time window that they are listening to.
Bitdefender announced the problem in August 2019, and as of now, the company has not fixed the problem. Bitdefender usually provides a 90-day window to address an issue before they are published, but at this point, security researchers have waited three times as long.
This is unfortunate, especially for a smart home business that manufactures products specifically designed for safety. It’s true that hackers can not open your locks, but they can use the bug to access your home network, and it’s almost as bad. They can access almost any device on your network, including NAS devices or your print queue. In theory, they could even access security cameras.
Hopefully, August will solve the problem sooner rather than later. In a statement to PCMag, August said: “The August team is aware of the vulnerability and is currently working to resolve the issue. We do not currently know of any affected customer accounts. “
If and when August corrects the problem, we will update this article with that information.
via PCMag, Bitdefender