The August Smart Lock’s not so 2-Factor Authentication (Part 1)

TLDR: August really doesn’t have two-factor authentication, but what they have maybe good enough.

I recently got my hands on the new August Smart Lock, but not to put on my door (well at least not yet). Instead I was interested in the security of a product which is claimed to be “completely secure”. No joke their promo video says completely secure! By definition adding a second way to open a lock can only weaken the security of your house. Adding a new way to unlock a lock always reduces over all security as it adds complexity.

A little bit on the August Lock

What first peaked my interest was a company claiming to make a “completely secure” product. With that being said though I do think their approach to the smart locks is one of the more reasonable ones I have seen. Rather than replacing the entire lock, the August replaces the deadbolt knob and utilizes the existing locking mechanism. This is a very nice feature, but it is essential for those living in apartments who want a smart lock as replacing the entire lock is not an option. Additional August uses Bluetooth LE for all communication between the lock and the user’s phone. This phone to lock communication is what underpins the ability to provide create and provide guest keys.

On the August Company

I have been auditing the August lock since the middle of December 2014. When multiple security issues with the August lock became apparent I reached out to August (the company). Their response was very mature and did leave me with an overall positive opinion of the people at August in spite of their “completely secure” claims. They seemed genuinely interested in creating a secure experience, and did hire a security consulting company to review the August prior to releasing. (If you are reading this and work for that security company I deeply disappointed in you.)

Bla bla bla details time

I will not be releasing any of the more serious concerns I have with the August lock today as I would like to provide August a little more time to address them. However, I would like to publicly address a comment made when I mentioned to August they should use two factor authentication.

Me:  For any application where security is paramount two factor authentication is a must. As passwords tend to be shared between sites, and key-loggers, brute-force attacks and server-side exploits can signficantly weaken password based security systems.

August: We do have multi-factor authentication in place. When first logging into the account, or when logging into another new device, an SMS or email verification code is required before allowing the user to proceed. There are other factors which are permitted to be used as the second factor during the authentication process, such as certain tokens previously stored on the user’s device, so this may be why you may or may not see a request for an SMS/email verification code if you are logging back into a device that you have previously used.

On the surface it would seem August does indeed have multi-factor authentication. So article over, nothing to see here right? Well no, but before I get into details let’s review what it means to have multi-factor authentication. There are three factors that are commonly used for muli-factor authentication, something the user has, something the user knows, and something the user is. In order for a system to have multi-factor authentication two or more factors are required to authenticate a user. If it is possible to authenticate a user with only a single factor then the system does not use multi-factor authentication. It is important to remember that two things you have only count as a single factor, and two things you know also only count as a single factor.

If you can create another factor, such as a special token on a particular computer based upon a set of something you know or a single biometric reading, this is effectively single factor authentication. For example, some banks implement a scheme that requires you to type a username, passwords and answer a personal question, and if you get those right, your computer will be marked as a physical factor. It’s obvious that this scheme is open to many attacks, but the primary weakness is that the system is not truly a two factor solution as it is based upon a simple set of “something you know” and thus you can make any computer a second factor if you know these details.

OWASP

 

“For a strong authentication to be in process, it must include two out of the three authentication factors- also referred to as two factor authentication.”

Fundamentals of Information Systems Security

 

Going back to the response provided by August we see they believe their multiple factors are something you have (a phone or email address) and something you know (a password). Now if I could show the one only needed one of these things to gain control of an August lock than this claim of multi-factor authentication would be falsified.

How August’s authentication works

During log the sign in process your phone provides the August web servers with a randomly generated installId. This installid is never shown to the user. Whenever the user logs in from a new phone they will be sent a verification token via email or text message. Upon entering the token into the August mobile application they are allowed to log in.

Given the entering  a user’s password represents a proof of knowledge, August must be assuming access to an inbox or text message represent a proof of possession. For the time being let’s accept this to be true and look at the forgot my password feature implemented by August.

When a user indicates they forgot their password while using a phone which has previously logged into their account August will send a token to the user’s email address. Upon entering this token the user will be able to change their password. If however, this same process is done from a phone which has never been used to access their account after entering the token sent via email a second token will be set via text message. This second token must be entered prior to resetting the password.

Looking at this process we see the user only provided proof they control both the email address and phone number tied to the account. In order for August to have two factor authentication we now must assume either control of an email address or control of a phone represents proof of knowledge. If we do this though we will create a contradiction. Thus August can not have two factor authentication.

Here is a more formal statement of my proof August does not have two factor authentication:

Let p be proof of possession
Let k be proof of knowledge
Let e be proof of control of email address
Let f be proof of control of phone
Let w be proof of knowledge of password
Let a be an authenticated user

Define multi-factor authentication
1) m=k+p

Define I forgot my password authentication
2) a=e+f

Define normal sign in process
3) a=w+f
4) a=w+e

Assume proof of knowledge of a password as proof of knowledge
let w=k

Substitute w for k
1) m=k+p
2) a=e+f
3) a=k+f
4) a=k+e

If we assume control of a phone number is proof of possession
let p=f

Substitute e for p
1) m=k+p
2) a=e+p
3) a=k+p
4) a=k+e
If we assume control of email address is proof of possession
let e=p
Substitute e for p
1) m=k+p
2) a=p+p
3) a=k+p
4) a=k+p

However if we assume control of email address is proof of knowledge
let e=k

Substitute e for k
1) m=k+p
2) a=k+p
3) a=k+p
4) a=k+k

Even when one attempts to claim control of an email address is proof of knowledge August does not have multi-factor authentication.

Text messages and email as proofs

I would be remiss if I did not take a moment to comment on the use of text messages and emails as proofs of identity. Today’s email is largely unchanged from the early days of the internet. It remains a fundamentally insecure communication channel akin to sending a post card across the internet. Even if we were to solve the problem of secure email delivery most users do not lock their home computer, and full disk encryption does not have great adoption. This means gaining physical access to someone’s computer is sufficient to gain access to their email. Furthermore, users are notorious for rampant password reuse and poor password selection. If one were able to recover a user’s password for one of the countless data-breaches which occur every year they would be able to use this password to access the user’s email account.  And what of the possibility of the email provider being compromised, or malicious? In either of case any system utilizing control of an email address as proof of identity could be compromised.

As for text messages the story is not much better. It to is built on an insecure protocol and is reliant on the integrity and operational security of wireless carriers. (When was the last time you thought of a phone company being high in integrity?) Additionally, the wireless communication between cell towers and phones has shown to be insecure on multiple occasions. The problem is even further clouded by services like Google Voice which allow access to text messages and emails through a single sign on. (Apple also appears to be moving closer and closer to a Google Voice like solution with phone calls and text messages being accessible from all Apple products.)

Conclusion

It may well be good enough to have a well constructed single factor authentication system for a home lock.  After all, any lock only requiring a physical key is by definition a single factor authentication system (possession). Smart locks like the August do expose users to a new class of threats. With a traditional lock an attacker would need physical access to the lock to compromise it. With internet enabled smart locks it becomes possible for an attacker to compromise one or many user’s locks remotely and then sell not only access but when the users will be away from home. This threat however unlikely is a distinction possibility which manufactures should seek to mitigate before it ever comes to fruition.

  • Paul Moore @ Rambling Rant

    Great write-up!

    This clearly isn’t two factor authentication, so I won’t go over old ground.

    This is one area where I’m dubious about converging technologies, not least because vendors often make outlandish and frankly ridiculous claims. You’ll never hear security professionals refer to anything as “completely secure”, simply because it’s not possible. Security is a process, not a state.

    For this claim alone, I’d normally shun the August smart lock immediately. However, as you point out, they do offer two-step verification (not to be confused with two factor!) which undoubtedly increases assurance levels beyond that of a traditional password. A *very* brief look at the Android application reveals it’s been built with a reasonable degree of care wrt security. All data appears to travel over a pinned and sufficiently-secure protocol to prevent eavesdropping, something which can’t be said of many mobile banking apps.

    It’s also not clear if they used paired or bonded BLE connections; something which I’d want to know before even considering bolting it to my door. Bonded connections rely on TOFU (Trust on First Use) which essentially means the two devices no longer share information which isn’t encrypted with a pre-shared key, after the initial pairing. A paired connection leaks information which, to a suitably-equipped attacker, could lead to compromise. Bluetooth & BLE aren’t particularly easy to break, but it’s certainly possible given enough time. With a theoretical range of 160+ feet (assuming it’s not configurable), it’s entirely possible to communicate with multiple devices without ever leaving your own home.

    The sales pitch/video is all well & good, but I’m not sure it’s actually fixing real world problems. A traditional lock is an entirely mechanical process with, for the sake of argument, a near 100% success rate and assuming the barrel is sound, it should be relatively secure. I appreciate this technology is still bleeding-edge and likely riddled with bugs, but the increased attack surface FAR exceeds the minimal benefits it has to offer. It’s almost certainly going to invalidate your insurance in the event of a burglary too.

    The thought of connecting my front door lock to an internet connection would worry me to death, especially given their propensity for making unsubstantiated claims. Are their servers “completely secure” too?

    Nope, not for me.

    • jmaxxz

      @paulramblingrant:disqus stay tuned, more details will be release soon.

    • Joachim

      Sorry, but your argument and conclusion are seriously misleading. You seem to assume that the physical locks used in typical residential doors are secure. They are not. Even inexperienced thieves can pick your typical lock in seconds. So-called high security locks resist picking a little longer, but not by much. If someone wants in they will get in. Many doors even have glass insets that can be easily broken, and brute force is another approach. The only realistic purpose of the lock for your typical house is to deter casual entry by somebody who may try the door handle, but will not take it further. If you compare the effect of an electronic lock with this more realistic baseline the conclusion will be very different. Yes, security will be slightly weakened because of new attack surfaces, but not in any significant way because security was very low to begin with.

  • Pingback: The August Smart Lock’s not so smart password reset (Part 2) | Jmaxxz.com()