Anti-Malware Research IoT Research Whitepapers

Smart Locks Not So Smart with Wi-Fi Security

The rise of online property rental in an increasingly competitive sharing economy has had a severe impact on the adoption of Internet-connected smart locks. Packed with features that allow landlords to issue and revoke access by electronically sharing a token or pin code during booking, intelligent locks have managed to eliminate meeting strangers or using key drops.

Unlike most IoT devices, smart locks are physical security boundaries, products originating from top lock companies are preferred to generic brands. But do these devices made by lock companies that made history in the evolution of the modern lock live up to their digital promise?

This article – part of a series developed in partnership with PCMag – aims to shed light on the security of the world’s best-sellers in IoT. PCMag contacted the research team at Bitdefender and asked us to look at several popular devices, including the August Smart Lock and Connect Wi-Fi Bridge. More information is available in this article published on our partner’s website.

Key findings – CVE-2019-17098

The Bitdefender IoT Vulnerability Research Team discovered that the device talks with the configuration application on the smartphone in an encrypted manner, but the encryption key is hardcoded into the app. This allows a potential attacker within range to eavesdrop on the traffic and intercept the Wi-Fi password. While this attack would NOT allow a hacker to unlock the front door, it would let them mount additional attacks against the home network.

This vulnerability is similar to the one identified in the Ring Video Doorbell Pro.

Download the full whitepaper

About the author

Avatar

Bogdan BOTEZATU

Bogdan Botezatu is living his second childhood at Bitdefender as senior e-threat analyst. When he is not documenting sophisticated strains of malware or writing removal tools, he teaches extreme sports such as surfing the web without protection or rodeo with wild Trojan horses. He believes that most things in life can be beat with strong heuristics and that antimalware research is like working for a secret agency: you need to stay focused at all times, but you get all the glory when you catch the bad guys.

Add Comment

Click here to post a comment