The August Smart Lock’s not so smart password reset (Part 2)

If you have read my earlier article on the August Smart Lock you know it does not have a two factor authentication system in-spite of the claims of its creators. This article will be about an exploitable vulnerability in August’s authentication system. August was first notified of this weakness on December 19, 2014. As of writing this article, August has not fixed the issue (March 3, 2015).

The Vulnerability

As a user of the August lock if you ever forget your password August will send a verification code to your phone. This code is a value between 000000 and 999999. This means there are only one million possible reset codes. As a human this seems like a very big number, but for modern computers screaming along at three billion operations per second one in a million events happen thousands of times a second. A code is sent via text message or email. By comparison with the weakest possible password august allows a user to select (an 8 character upper and a lower case string) has 28,179,280,000,000 possible combinations. Given this discrepancy one can greatly increase the odds of a successful brute for attack by issuing a password reset request first. Ideally August would limit both the number of reset requests which could be made in a short period, and the number of times users could attempt to enter the reset codes. However, they do not. In order to prove this, I have created a proof of concept application which is capable of brute-forcing these reset codes. In order to avoid placing a large load on the August web-servers I have artificially limited the rate of requests the application makes by default.

071800: { code: 'InvalidArgument', message: 'Invalid code' }
071801: { code: 'InvalidArgument', message: 'Invalid code' }
071802: { code: 'InvalidArgument', message: 'Invalid code' }
...
071867: { code: 'InvalidArgument', message: 'Invalid code' }
071868: { code: 'InvalidArgument', message: 'Invalid code' }
071869: { code: 'InvalidArgument', message: 'Invalid code' }
071870: { code: 'Success' }
reset code was 071870

What user’s can do to protect themselves

As August has yet to fix the issue all user of August locks should take note if they ever receive a reset code from August which they did not request. If this happens users should immediately contact August ask them to remove the reset code. This is no replacement for a proper fix from August as it is unreasonable to expect users to constantly monitor their accounts and immediately contact a August. However, as long as it remains unpatched it is the only thing users can do.

Conclusion

Strong passwords are worthless when a weak password reset system is used. As account management systems are hard to do correctly developers should out source account management to the experts through the use of protocols like OAuth 2.0. For example if August had used Facebook, Google, or Twitter for their account management system they would have benefited not only from reduced development cost but also a very robust account management solution.

See the proof of concept on github

  • Mathew Michel

    Hi, is this still an issue now? Has August reached our to you since this post?

    • jmaxxz

      Shortly after this post August did make some changes to protect users from this issue. They let me test their proposed fixed. This fix was better, but had some lesser issues. I have not verified these fixes were released, but it is my understanding they were.

      • Mathew Michel

        Awesome. Thank you!