According to Bitdefender, the smart door lock Smart Lock Pro from August is insufficiently secured and thus reveals the WiFi password. Online rental companies often use these door locks. The vulnerability has been known since December but is still open.
The August brand Smart Lock Pro door lock allows attackers to access the WiFi password. Communication between the August hardware and the associated smartphone app is insufficiently secured, according to Bitdefender: If the user enters the WiFi password during configuration so that he can control the door lock from a distance, this password can simply be read and decrypted by third parties become.
Close the door, open the network
August Smart Lock Pro is available in Germany, Austria and Switzerland; it is one of the premium offers among networked door locks. August writes on his website: “Our goal is to develop products and services that enable everyone to control and manage access to their homes from anywhere.” Smart door locks are popular, among other things, through the online rental of apartments as they allow the landlord to give tenants temporary access without meeting them or leaving physical keys.
Bitdefender researchers had already reported the vulnerability to the manufacturer in December 2019. The manufacturer confirmed it and originally planned a release in early June 2020 together with Bitdefender. After August did not respond to further inquiries from Bitdefender in June and July, Bitdefender has now decided to resolve the unpatched security vulnerability after almost eight months under CVE- 2019-17098 to be published to inform users. Bitdefender recently discovered a similar vulnerability in the Ring Video Doorbell Pro offering.
Quick access to the whole network
Successful theft of a WLAN password offers attackers a wide range of options: For example, they can access network storage, read what users are printing, steal passwords for online services and use personal information for further fraud.
Before giving a new device network access, according to Bitdefender, users should research who the manufacturer is, how often they publish security patches and updates, and whether one can manage the security settings of the device. The security checklist includes: Changing standard passwords, blocking port forwarding in the router, and disabling potentially dangerous protocols in routers such as UPnP (Universal Plug and Play). Bitdefender also recommends using a security solution that can protect IoT devices from online attackers in order to keep data safe and confidential.
More on this in the labs at Bitdefender.com
About Bitdefender Bitdefender is a leading global provider of cybersecurity solutions and antivirus software, protecting over 500 million systems in more than 150 countries. Since it was founded in 2001, the company's innovations have consistently ensured excellent security products and intelligent protection for devices, networks and cloud services for private customers and companies. As the supplier of choice, Bitdefender technology is found in 38 percent of security solutions deployed around the world and is trusted and recognized by industry experts, manufacturers and customers alike. www.bitdefender.de