August smart locks are a favorite among consumers and tech reviewers alike. At CNET we’ve recommended most August locks in their short tenure on the market, including the most recent. A new report, however, suggests setting up those smart locks might not be as secure as it should be.
The specific vulnerability gives a hacker a way to access your Wi-Fi network credentials, not the smart lock specifically. While no one could unlock your lock remotely through this vulnerability, they could access your Wi-Fi login information and wreak havoc on your home network.
How does it work?
Up untilreleased this year, August Smart Locks communicated to your phone via Bluetooth. To control them over the internet, or to link them to supporting smart home devices, you needed the August Connect module. The August Connect plugs into a nearby wall outlet and bridges the connection between the Bluetooth-based August Smart Lock and your home Wi-Fi network.
The newest August Smart Lock, and our current Editors’ Choice winner, has Wi-Fi support built-in. Thus, it doesn’t need the Connect module, and isn’t vulnerable to this hack. It only affects older models, and only those that are paired with an August Connect.
For those older units, when you set up your August Smart Lock with the Connect module, the Connect creates an open access point on your Wi-Fi network in order to pass network credentials to your phone. That’s when information can be vulnerable to a snooping hacker.
The problem is that the encryption used by August is a hard-coded key into the August app that can be easily decoded. That’s because the encryption uses a pretty simple cipher called ROT-13; that stands for “rotate 13.” Here’s a quick definition from the PCMag report:
According to Bitdefender, the key itself is encrypted using an extraordinarily simple cipher called ROT-13, for rotate 13. Picture two disks with the 26 letters around the edge. Rotate one by 13 places. Now A becomes N, B becomes O, and so on.
The key that holds your network information is coded, but not truly hidden. If a diligent hacker watched your network and caught the moment of setup for your August Smart Lock and August Connect, they could intercept your Wi-Fi password through the smartphone’s easily cracked encryption method.
August responded to the PCMag report saying no known users were affected and that the hack is only possible during setup. PCMag and Bitdefender argue that they were able to force setup and credential reentry on demand.
This specific vulnerability applies only to users on an Android device for the August app, thanks to Apple’s beefier security on mobile devices. Many other parts of August’s system are commendable, like two-factor authentication when setting up a new account.
In the smart home era, it’s not uncommon to find security issues in Wi-Fi devices, but August was notified of the find in late 2019, and there haven’t been any updates that patch or solve the issue.
We reached out to August for comment on the PC Mag and Bitdefender reports, and will update this story if it responds.