By: Paul Lariviere & Stephen Hall

Introduction:


During a recent Security Compass ‘Hack Week’ we decided to take a look at smart locks in an attempt to assess the current state of Smart Lock Security. For our project we decided to take a look at the August Smart Lock. The August Smart Lock is an electronic locking mechanism that can be controlled from a mobile device. It supports Apple and Android platforms and allows the owner to grant access to other smart phones on either a temporary time limited, or permanent basis from anywhere as long as there is internet connectivity. The August Smart Lock is mounted on the back of almost any installed deadbolt replacing the existing thumb latch but leaving the rest of the lock in-tact. In our opinion this makes it a great solution for renters who already have high security locks installed as some of the other smart lock products require a full replacement of the deadbolt and provide only a basic lock cylinder.

There have been several articles written about Smart Locks lately, including this well thought-out piece by Schuyler Towne. We have not, however, seen any reports of thorough security testing carried out on these devices. In the few days we had to play with the August Smart Lock we were able to discover a series of vulnerabilities that would allow an attacker to add themselves as a Guest to any lock they were in range of, effectively giving an attacker the ability to unlock any lock they encounter.