The security hole that Bitdefender found in the August Smart Lock Pro + Connect won’t let a hacker open your front door, but it could give a very patient one full access to your Wi-Fi network.

Bitdefender在August Smart Lock Pro + Connect中发现的安全漏洞不会让黑客打开您的前门，但是它可以让非常有耐心的人完全访问您的Wi-Fi网络。

By Neil J. Rubenking

由 尼尔J. Rubenking

There’s no question, smart door locks are incredibly convenient. Features like unlocking the front door with a phone app, logging all entries, and automatically locking up when you leave the area are great. If you’re engaged in the short-term rental business, choosing the right smart lock means you can give renters temporary access during their stay, with no need for the messy business of exchanging house keys. Even so, you might have just a little concern in the back of your mind. Hackers got into Kanye West’s Twitter account, after all. Maybe they could open your front door? If you use the August Smart Lock Pro + Connect, that’s not the problem. Your front door should stay locked even if a whole hacker krewe marches past chanting, “Open Sesame!” That said, an unpatched security hole in this device means those hackers could gain full access to your Wi-Fi network, which could be its own kind of disaster.

毫无疑问， 智能门锁非常方便。 诸如使用电话应用程序解锁前门，记录所有条目以及在您离开该区域时自动锁定等功能都很棒。 如果您从事短期租赁业务，则选择正确的智能锁意味着您可以在房客逗留期间为他们提供临时访问权限，而无需进行繁琐的房门钥匙交换业务。 即使这样，您的脑海中也可能只有一点点担心。 毕竟，黑客进入了Kanye West的Twitter帐户。 也许他们可以打开您的前门？ 如果您使用August Smart Lock Pro + Connect ， 那不是问题。 即使整个黑客团伙都在高呼“芝麻开门！”，您的前门也应该保持锁定状态。 也就是说，此设备中未打补丁的安全漏洞意味着这些黑客可以完全访问您的Wi-Fi网络，这可能是其自身的灾难。

PCMag has partnered with the Internet of Things security team at Bitdefender to answer just that sort of question. Bitdefender’s hacking team puts popular smart home devices to the test, looking for security holes that hackers could misuse. On discovering a problem, the team contacts the manufacturer, to give it time for a fix before disclosing the vulnerability. In the past, Ring has fixed a security problem with one of its smart doorbells that would have allowed a patient hacker to gain full access to the Wi-Fi network to which the device was connected. Belkin likewise fixed a similar problem with its WeMo Smart Plug. When consumers get a more secure product, everybody wins.

PCMag已与Bitdefender 的物联网安全团队合作，以回答此类问题。 Bitdefender的黑客团队对流行的智能家居设备进行了测试，以寻找黑客可能滥用的安全漏洞。 发现问题后，团队将与制造商联系，以便在披露漏洞之前有时间进行修复。 过去，Ring通过其智能门铃之一解决了一个安全问题 ，该问题使患者黑客可以完全访问该设备所连接的Wi-Fi网络。 Belkin的WeMo Smart Plug也解决了类似的问题。 当消费者获得更安全的产品时，所有人都会赢。

Things happened a bit differently in our investigation of the iBaby monitor. The Bitdefender team found a way for any owner of the camera to get access to pictures and videos from every such device. The company notified iBaby, without response. But after we published the news, iBaby pushed out a fix within a few days. That’s another win, albeit a delayed one.

在我们对iBaby显示器的调查中，情况发生了一些变化。 Bitdefender团队找到了一种方法，使相机的任何所有者都可以从每个此类设备访问图片和视频。 该公司通知iBaby，但没有回应。 但是，在我们发布新闻之后， iBaby在几天之内推出了修复程序 。 那是另一个胜利，尽管是一个延迟的胜利。

August智能锁的智能程度如何？ (How Smart Is the August Smart Lock?)

For the latest round of testing, the Bitdefender team, led by ethical hacking expert Alex “Jay” Balan, dug into the August Smart Lock Pro + Connect. This one has been a favorite of ours in the past and when we reviewed it in 2017, earned our Editors’ Choice badge. August recently released a version with integrated Wi-Fi that also won an Editors’ Choice award. Released three years ago, the Pro edition is an older lock, but you can be sure there are plenty of them installed on doors all over the country.

对于最新一轮的测试，由道德黑客专家Alex“ Jay” Balan领导的Bitdefender团队深入研究了August Smart Lock Pro + Connect。 过去一直是我们的最爱，当我们在2017年对其进行审查时，获得了我们的编辑选择徽章。 August最近发布了带有集成Wi-Fi的版本，该版本也获得了编辑选择奖。 Pro版本是3年前发布的，是一种较旧的锁，但是您可以确定全国各地的门上都安装了许多锁。

You control the lock using a smartphone app. If you’re within range, communication is managed via Bluetooth Low Energy (BLE). If not, the app connects through the internet to the Connect bridge (that’s where “+ Connect” comes from) which, in turn, controls the lock. The security team found that all commands between the devices are encrypted and “cannot be intercepted or modified.” In addition, the bridge to the Connect device only works if the user has an August lock registered to the account.

您可以使用智能手机应用程序控制锁。 如果您在范围内，则通过蓝牙低功耗(BLE)管理通信。 如果不是，则该应用程序通过互联网连接到Connect桥(这是“ + Connect”的来源)，然后由该桥控制锁定。 安全团队发现，设备之间的所有命令均已加密，并且“无法被拦截或修改”。 此外，仅当用户在帐户中注册了August锁时，才能连接到Connect设备。

Access to the account is secured and uses two-factor authentication. Only the owner has full control. Among the owner’s powers are the ability to give others full access, or just limited access. Without that access permission, hackers can’t open the door, period. There’s just one little problem, one very similar to what we encountered with the Ring Video Doorbell…

对帐户的访问是安全的，并使用两因素身份验证 。 只有所有者拥有完全控制权。 所有者的权力中包括授予他人完全访问权限或仅授予有限访问权限的能力。 没有该访问权限，黑客就无法打开门。 只有一个小问题，一个非常类似于我们在环形视频门铃中遇到的问题…

环的解决方案 (Ring’s Solution)

Like the Ring Video Doorbell, August needs a connection to your local Wi-Fi network. With no keyboard or other input device, you can’t just type in the username and password. Both devices use a common technique to manage the initial connection. You put the device in setup mode, which causes it to act as an access point. You connect to that access point using your smartphone. And the app passes the Wi-Fi login credentials to the device.

像Ring Video Doorbell一样 ，August需要连接到本地Wi-Fi网络。 没有键盘或其他输入设备，您不能只输入用户名和密码。 两种设备都使用通用技术来管理初始连接。 您将设备置于设置模式，这将使其充当接入点。 您可以使用智能手机连接到该接入点。 然后，该应用会将Wi-Fi登录凭据传递到设备。

Bitdefender’s team discovered a problem with this system. That exchange of credentials was not protected in any way. An intruder listening in to the network, even without logging in to the network, could capture the Wi-Fi credentials and thereby gain full access. Admittedly, the intruder must be listening at the exact moment the exchange takes place, but the researchers found a way to force reentry of the credentials.

Bitdefender的团队发现了该系统的问题。 凭证交换没有得到任何保护。 入侵者即使没有登录网络也可以监听Wi-Fi凭据，从而获得完全访问权限。 诚然，入侵者必须在交换发生的确切时刻进行监听，但是研究人员找到了一种强制重新输入证书的方法。

Implementing this hack would take a lot of patience. The hacker would have to find a spot close enough to listen in on the Wi-Fi network, perhaps a parked car. The attack that forces the doorbell offline takes time. And the device doesn’t reconnect until its owner notices that it’s offline and initiates the exchange.

实施此hack需要大量的耐心。 黑客必须找到一个足够近的地点，以监听Wi-Fi网络，也许是一辆停着的汽车。 迫使门铃脱机的攻击需要时间。 并且，只有在设备拥有者注意到设备已离线并启动交换后，设备才会重新连接。

Ring quickly fixed the problem by adding encryption to the credential hand off exchange.

Ring通过在凭证切换交换中添加加密来快速解决该问题。

It’s worth noting that a vast number of IoT devices use a similar technique to connect with your Wi-Fi network. Any device that doesn’t encrypt the credential exchange would be vulnerable to this attack.

值得注意的是，大量的物联网设备使用类似的技术来连接您的Wi-Fi网络。 任何不加密凭据交换的设备都容易受到此攻击。

默默无闻的安全性永远行不通 (Security Through Obscurity Never Works)

The developers at August made a good start at handling things better. They built in encryption from the start, so a network snoop couldn’t simply grab the Wi-Fi password, but they hard-coded the encryption key in the device’s firmware.

8月的开发人员为更好地处理问题开了一个良好的开端。 它们从一开始就内置了加密功能，因此网络监听无法简单地获取Wi-Fi密码，而是将加密密钥硬编码在设备的固件中。

They tried to hide it. According to Bitdefender, the key itself is encrypted using an extraordinarily simple cipher called ROT-13, for rotate 13. Picture two disks with the 26 letters around the edge. Rotate one by 13 places. Now A becomes N, B becomes O, and so on. It’s not exactly rocket science. The developers relied on obscuring the key rather than actually protecting it.

他们试图隐藏它。 据BitDefender的，关键本身是加密的使用极其简单的密码叫做ROT-13，用于旋转13图片两次与周围边缘的26个字母盘。 将其旋转13个位置。 现在，A变为N，B变为O，依此类推。 这不完全是火箭科学。 开发人员依靠隐藏密钥而不是实际保护密钥。

For precise details of what the team found, and how a hacker could steal your Wi-Fi networks login credentials, you can read Bitdefender’s whitepaper or blog post on the subject.

有关该团队发现的内容以及黑客如何窃取您的Wi-Fi网络登录凭据的确切详细信息，您可以阅读Bitdefender的白皮书或有关该主题的博客文章 。

是固定的吗？ 好吧，不 (Is It Fixed? Well, No)

Bitdefender notified August of this problem last December. August responded with a proposal for mutual disclosure to take place in June of 2020. After that, communication broke down. Bitdefender continued trying for a few more months, but eventually opted to disclose the problem. Under responsible disclosure protocols, researchers who find a problem typically give the company 90 days to devise a fix. In this case, Bitdefender waited almost three times as long.

去年12月，Bitdefender将此问题通知了八月。 作为回应，8月提出了一项相互公开的提议，提议于2020年6月进行。此后，沟通中断了。 Bitdefender继续尝试了几个月，但最终选择揭露该问题。 根据负责任的披露协议，发现问题的研究人员通常会给公司90天的时间来设计解决方案。 在这种情况下，Bitdefender等待的时间几乎是原来的三倍。

黑客能做什么？ (What Could Hackers Do?)

So, the bad news is that a very patient hacker could gain full access to your Wi-Fi network by using this security hole. I checked in with Bitdefender’s Jay Balan for some thoughts on just how bad. “People believe their home networks are secure,” noted Balan. “All of us suffer from this bias. All of us feel something is safe because it’s on our private network. As such, all our security measures are extremely relaxed in our home networks.”

因此，坏消息是，非常有耐心的黑客可以通过使用此安全漏洞来完全访问您的Wi-Fi网络。 我在Bitdefender的Jay Balan处检查了一些关于到底有多糟糕的想法。 “人们相信他们的家庭网络是安全的，” Balan说。 “我们所有人都遭受这种偏见。 我们所有人都觉得有些安全，因为它在我们的专用网络上。 因此，我们的所有安全措施在我们的家庭网络中都极为放松。”

He went on to point out some specific scenarios. Network printers communicate without encryption or authentication, so an attacker could capture and exfiltrate any documents you print. If you use a local Network Attached Storage (NAS) device for backups, chances are good it receives unprotected files for backup, once again giving the attacker full access. By monitoring the communications between IoT devices and other devices on the network, a hacker could gain control of those devices. Balan concluded, “Combining the comfort and safety you feel on your home private network with hacking techniques, hackers will have an easier time trying to social engineer users and steal their online credentials, launch phishing attacks and so on.”

他接着指出了一些具体情况。 网络打印机无需加密或身份验证即可进行通信，因此攻击者可以捕获和泄露您打印的所有文档。 如果您使用本地网络附加存储(NAS)设备进行备份，则很有可能会收到不受保护的文件进行备份，从而再次赋予攻击者完全访问权限。 通过监视IoT设备和网络上其他设备之间的通信，黑客可以控制这些设备。 Balan总结说：“将您在家庭专用网络上的舒适性和安全性与黑客技术相结合，黑客将可以更轻松地尝试向社交工程师用户窃取他们的在线凭据，发起网络钓鱼攻击等。”

八月的回应 (August’s Response)

We contacted August with our plans to release this report, requesting comment. The initial response emphasized August’s commitment to security, stating, “Maintaining our customers’ privacy and security are top priorities for us, as they are at the core of who we are as a company and how our products are created.” But it went on to describe the company’s response to a completely different problem, a hardware-based vulnerability dubbed Spectra. Interestingly, the Black Hat presentation on Spectra didn’t mention August at all, focusing on vulnerable Macs and smartphones.

我们与8月份联系，要求我们发布该报告的计划，请您发表评论。 最初的回应强调了August对安全的承诺，并指出： “维护客户的隐私和安全是我们的重中之重，因为他们是我们公司形象和产品创造方式的核心 。” 但是它继续描述了该公司对一个完全不同的问题的回应，这个基于硬件的漏洞被称为Spectra。 有趣的是， 有关Spectra的Black Hat演示根本没有提到August，而是针对易受攻击的Mac和智能手机。

When we clarified our request for comment, an August representative stated, “The August team is aware of the vulnerability and is currently working to resolve the issue. At this time, we are not aware of any customer accounts affected.” This is encouraging, though not borne out by the company’s interaction with the Bitdefender team. The representative also said, “The attacker must know precisely when the customer is setting up the Connect device. Once the Connect is fully set up, it is no longer vulnerable to this attack.”

当我们澄清评论要求时，八月的代表说： “八月的团队知道该漏洞，目前正在努力解决此问题。 目前，我们尚未发现任何受影响的客户帐户。” 令人鼓舞的是，尽管公司与Bitdefender团队的互动并未证明这一点。 该代表还说： “攻击者必须准确地知道客户何时设置Connect设备。 一旦Connect设置完毕，就不再容易受到这种攻击。”

That last part is not actually true, given the Bitdefender crew’s documented technique for forcing setup to happen on demand. The statement also said that only connection with Android devices is affected, not iOS. Bitdefender confirmed that Apple’s enhanced security means the attack indeed doesn’t work with an iOS device. And it’s worth reiterating that this vulnerability in no way gives an attacker control of the lock itself.

考虑到Bitdefender团队记录的强制按需进行设置的技术，最后一部分实际上并不正确。 声明还说，仅影响与Android设备的连接，不影响iOS。 Bitdefender确认，Apple增强的安全性意味着该攻击确实不适用于iOS设备。 值得重申的是，此漏洞绝不会让攻击者控制锁本身。

When you turn the spotlight of penetration testing on any device, there’s a decent chance you’ll find a security hole. We don’t fault August for the mere fact that a flaw turned up. We do remain concerned by the company’s response, however. After eight months the flaw hasn’t been fixed, and the company’s statement suggests an incomplete understanding of what’s wrong.

当您在任何设备上关注渗透测试时，很有可能会发现一个安全漏洞。 我们不会责怪8月，因为光是出现了缺陷。 但是，我们仍然对公司的回应表示关注。 八个月后，该缺陷仍未得到修复，该公司的声明表明对该问题的理解不完整。

For more information on how to keep your smart home safe, read our guide.

有关如何保护智能家居安全的更多信息，请阅读我们的指南 。

Originally published at https://www.pcmag.com.

最初发布在 https://www.pcmag.com 。