Here's what happened when someone hacked the August Smart Lock
Worried about smart lock security? A recent vulnerability shows that smart lock makers still have a lot to learn.
For as long as humans have tried to lock up stuff, burglars have searched for ways to break those locks. Smart locks, with their Internet-connected perks (Open your door from anywhere! Share temporary digital keys!) are no exception.
Just ask Jmaxxz, a software engineer, security expert and well-intentioned white-hat hacker (someone who breaks locks to help identify fixable security problems) who spoke at the Defcon technology security conference earlier this month. His presentation highlighted vulnerabilities in August's first- and second-generation smart locks via live demonstration, claims we reported on as part of a larger piece on lock security on August 9.
As of August 19, the company has patched most of the problems Jmaxxz uncovered, and no one can now replicate them. As far as anyone knows, the vulnerability never resulted in a break-in. But beyond the technical issues Jmaxxz found, his work also called attention to the fact that August didn't respond to these issues with the degree of transparency we would expect from a company working to make our homes safer.
Problem guests
The ability to hack or otherwise flummox security devices is an unfortunate reality that has existed since we learned to make keys. We've written about a security system susceptible to wireless jamming, standalone cameras with weak default passwords and deadbolts that don't hold up well against a hammer and a screwdriver.
Here's how the whole August/Defcon episode went down.
Jmaxxz's demo uncovered one especially interesting area of vulnerability related to guest access. Both August's first- and second-gen locks let you grant someone ongoing, recurring or temporary access to your home via a digital "key" you can send to their smartphone via the August app.
While you might give a close friend or family member who doesn't live with you ongoing guest access, you can also extend recurring or temporary access to an Airbnb renter, cleaning service, dog walker, neighbor -- or anyone else who might need to unlock your front door when you're at work, on vacation or otherwise away.
Guest access is a feature commonly touted by smart lock makers, since it frees you from having to cut and hand out a bunch of physical keys. Convenience aside, Jmaxxz discovered a vulnerability with August's guest access that allowed guests to hack August's software and "enroll a new key." Once a guest enrolled a new key, they could control an August Smart Lock even after the homeowner removed them as a guest.
Hacking August
Before August's team fixed the issue, we decided to try it out ourselves. And a handful of calls with Jmaxxz later, our Associate Technical Editor Steve Conaway was indeed able to enroll a new key and control a HomeKit-enabled August Smart Lock.
Here's a very basic overview of what we did:
- Unboxed and configured a HomeKit-enabled August Smart Lock as usual
- Granted Steve temporary guest access
- While his guest access was active, Steve enrolled a new key (This was the tricky part. Venture over to Jmaxxz's Defcon presentation or to his blog for more details.)
- Removed Steve's guest access
- Steve used the newly enrolled key to control the August lock from his laptop
We managed to lock and unlock our lock a few times before August's fix. In fact, we were testing out our newly enrolled key when August's patch went live the afternoon of August 19 -- one minute it was working, the next minute it wasn't.
Here's a backdoor key opening and closing an August lock.
Before everyone freaks out about hacked locks, let's get real about the potential security risks around software-based locks. A 2014 FBI report states that 58.3 percent of burglaries involve forcible entry (breaking a window, kicking down a door), 35.2 percent involve unlawful entry (entering through an unlocked window or an open garage door), and 6.5 percent involve attempted forcible entry.
That means home invasions related to hacking a smart device are rare enough that the FBI doesn't provide statistics on them. That also means Jmaxxz's discovery (before August fixed it) was an unlikely route to take to access someone's home.
At the same time, the US Department of Justice's National Crime Victimization Survey (NCVS) from 2003 to 2007 says victims who were home during a burglary knew the offender in roughly a third of the 1 million average annual burglaries. During the same time period, victims of violent home invasions knew the offender 65 percent of the time.
Since this hack relates to an issue with August's guest access and that the NCVS has unsettling statistics to share about burglary victims who know their offenders, Jmaxxz's discovery was still concerning.
Transparency matters
August actively worked to fix the issue, though, so why do we still care? We care because we wish August had spoken more clearly about the flaw and fixed it faster. The good news is, this is a moment where we can learn a lot about how to do this better next time.
I reached out to August the day we wrote about Jmaxxz's findings on August 9 and asked for a comment. An August representative sent me the following response later that day:
"Yes, we have seen @Jmaxxz's presentation from DEF CON, which is impressive. Ultimately, what he showed was that a hacker could hack their own phone to obtain a one-time use key for their own lock. The ability for a user to download and access their own encrypted key has been removed. Our system has never been compromised and none of our users smart locks have been at risk."
Here's the thing -- we replicated Jmaxxz's key-enrolling hack as recently as August 19. And we weren't the only ones keeping track of August's progress. On August 10, Twitter user @rom asked August if there were firmware updates in the works to fix any of the issues highlighted at Defcon:
August customer service then replied on August 12 saying it had app fixes on the way that day, but the backdoor issue was still unresolved:
Other Twitter users continued to reach out to August questioning whether or not the issues had been fixed, but the ability to enroll a new key wasn't actually removed until August 19:
That was more than a week after the premature "We've got app fixes coming out today" tweet. Not only that, but August still hasn't issued a firmware update, something Jmaxxz says is necessary to fix at least one remaining issue he details in this blog post.
"I don't think the current fixes are sufficient," Jmaxxz told me on August 22, "However, August has deployed a number of important patches over the last couple weeks, and I am hopeful they will be deploying the needed firmware updates soon."
"Yes, we've seen his latest post," an August representative added in response, "Security is our top priority. Last week we pushed a server update that removed the ability for an authorized Guest to theoretically modify their authorized key and for an existing Guest to modify their access privileges. This week we are releasing a firmware update that prevents Guests from changing settings on the lock."
Now at least it seems everyone is on the same page.
Johns Hopkins University Computer Science Professor and Information Security Institute Technical Director Avi Rubin was pleased to hear August is working on fixes: "Often, vendors are quick to deny vulnerabilities in their system and to attack the security researcher or threaten them with lawsuits. It's nice to see that August admits that their issues exist and that they are fixing them. It would be nice to see an independent review that could confirm that the problem has indeed been fixed. I'm sure that Jmaxxz and others will be having a look sooner rather than later."
Securing the smart home
It isn't likely that sophisticated burglars with guest access to August locks rushed to their computers to circumvent software protocols while this vulnerability persisted. Even so, it's disconcerting that we were able to compromise our smart lock with a laptop and some coding help. It's even more disconcerting that August downplayed this issue with statements to the press and on social media that suggested everything with August Smart Locks was hunky-dory.
Ultimately, a secure smart-home product starts with the manufacturer. Companies need to be honest and proactive when issues arise so customers aren't left guessing about the security of their smart home devices, especially important ones like door locks.