August smart locks could be giving hackers your Wi-Fi credentials

August smart locks are a favorite among consumers and tech reviewers alike. At CNET we've recommended most August locks in their short tenure on the market, including the most recent August Wi-Fi Smart Lock. A new report, however, suggests setting up those smart locks might not be as secure as it should be. 

PCMag and Bitdefender partnered in a test of the August Smart Lock Pro and Connect module. They found a concerning vulnerability during setup. Both Bitdefender and PCMag published posts about the vulnerability on Monday. 

The specific vulnerability gives a hacker a way to access your Wi-Fi network credentials, not the smart lock specifically. While no one could unlock your lock remotely through this vulnerability, they could access your Wi-Fi login information and wreak havoc on your home network. 

How does it work?

Up until the most recent model released this year, August Smart Locks communicated to your phone via Bluetooth. To control them over the internet, or to link them to supporting smart home devices, you needed the August Connect module. The August Connect plugs into a nearby wall outlet and bridges the connection between the Bluetooth-based August Smart Lock and your home Wi-Fi network.

The newest August Smart Lock, and our current Editors' Choice winner, has Wi-Fi support built-in. Thus, it doesn't need the Connect module, and isn't vulnerable to this hack. It only affects older models, and only those that are paired with an August Connect.

For those older units, when you set up your August Smart Lock with the Connect module, the Connect creates an open access point on your Wi-Fi network in order to pass network credentials to your phone. That's when information can be vulnerable to a snooping hacker.

The problem is that the encryption used by August is a hard-coded key into the August app that can be easily decoded. That's because the encryption uses a pretty simple cipher called ROT-13; that stands for "rotate 13." Here's a quick definition from the PCMag report: 

According to Bitdefender, the key itself is encrypted using an extraordinarily simple cipher called ROT-13, for rotate 13. Picture two disks with the 26 letters around the edge. Rotate one by 13 places. Now A becomes N, B becomes O, and so on.

The key that holds your network information is coded, but not truly hidden. If a diligent hacker watched your network and caught the moment of setup for your August Smart Lock and August Connect, they could intercept your Wi-Fi password through the smartphone's easily cracked encryption method. 

August responded to the PCMag report saying no known users were affected and that the hack is only possible during setup. PCMag and Bitdefender argue that they were able to force setup and credential reentry on demand. 

This specific vulnerability applies only to users on an Android device for the August app, thanks to Apple's beefier security on mobile devices. Many other parts of August's system are commendable, like two-factor authentication when setting up a new account. 

In the smart home era, it's not uncommon to find security issues in Wi-Fi devices, but August was notified of the find in late 2019, and there haven't been any updates that patch or solve the issue. 

Update, 5:56 p.m. PT: We reached out to August for comment on the PC Mag and Bitdefender reports. Here's what a spokesperson told us: 

The August team is aware of the vulnerability outlined by PCMag and Bitdefender and is actively working to resolve the issue. As of Aug. 7, 2020, security updates are in production for both the firmware in the device and the Android app.

We are unable to confirm the claim put forward by Bitdefender and PCMag that states an attacker can force the Connect Wi-Fi Bridge back into setup mode once set up. If a customer believes their Wi-Fi network has been compromised, we recommend changing their password once the Connect device has been set up. Once the Connect is set up, it is no longer vulnerable.

It's important to note that there are very specific circumstances and an extremely narrow window of time where this vulnerability is valid: The August owner must be using the Android app to set up the Connect and the attacker must know precisely when the customer is setting up the Connect device. This vulnerability is not valid on iOS.

At this time, August is still not aware of any customers affected by this vulnerability and this vulnerability does not affect the new August Wi-Fi Smart Lock nor any lock without a Connect.

Update, August 21, 2020: We asked for clarification regarding August's comment that it was unable to confirm the claim. Here's what a spokesperson told us:

August maintains that the claim that an attacker can force an August Connect device into setup mode is incorrect. The method published for getting the Connect device back into setup mode is actually the attacker tricking the user into manually putting their device into this mode by tampering with the customer's Wi-Fi network. The Connect never launches a setup state without the customer actively initiating it.
If the Connect's firmware is up-to-date and the user's August Android app is up-to-date, their device will not be vulnerable to the original attack even if the unit enters into setup mode.

We will continue to update this story as August works through the vulnerability.