CVE-2018-20100 – This vulnerability allows attackers to intercep... (How to Fix)

Q: What is the severity of CVE-2018-20100?

CVE-2018-20100 has a CVSS score of 9.8 (CRITICAL). This vulnerability allows attackers to intercept Wi-Fi credentials during the configuration of August Connect smart lock devices. Attackers within wireless range can capture home network passwords transmitted insecurely between the August app and the Connect device. This affects users of August Connect devices configured via the vulnerable August app.

📋 TL;DR

This vulnerability allows attackers to intercept Wi-Fi credentials during the configuration of August Connect smart lock devices. Attackers within wireless range can capture home network passwords transmitted insecurely between the August app and the Connect device. This affects users of August Connect devices configured via the vulnerable August app.

💻 Affected Systems

Products:

August Connect Wi-Fi Bridge
August Smart Lock Pro + Connect

Versions: All versions prior to firmware updates addressing the vulnerability

Operating Systems: Android, iOS

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists during initial setup/configuration process when app communicates with Connect device

📦 What is this software?

August Connect by August

View all CVEs affecting August Connect →

August Connect Firmware by August

View all CVEs affecting August Connect Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain access to home Wi-Fi network, enabling further attacks on connected devices, data interception, and potential network compromise.

🟠

Likely Case

Local attackers capture Wi-Fi credentials, gaining unauthorized network access and potentially compromising other connected smart home devices.

🟢

If Mitigated

With proper network segmentation and monitoring, impact limited to isolated smart home network segment.

🌐 Internet-Facing: LOW (requires physical proximity to device during configuration)

🏢 Internal Only: HIGH (once on network, attacker can pivot to other devices)

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Attack requires proximity during device setup; tools for Wi-Fi packet capture widely available

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: August app updates and Connect firmware updates released in 2018

Vendor Advisory: https://support.august.com/hc/en-us/articles/360018406793

Restart Required: Yes

Instructions:

1. Update August mobile app to latest version. 2. Ensure August Connect device firmware is updated via app. 3. Reconfigure device if previously set up with vulnerable version.

🔧 Temporary Workarounds

Secure Configuration Environment

all

Configure August Connect in a secure, private location away from potential eavesdroppers

Temporary Network Isolation

all

Set up device on temporary isolated network, then move to main network after configuration

🧯 If You Can't Patch

Physically secure configuration area to prevent local attackers from intercepting setup traffic
Use wired configuration if supported, or configure in RF-shielded environment

🔍 How to Verify

Check if Vulnerable:

Check if August app version is pre-2018 updates and if Connect device was configured before security patches

Check Version:

Check app version in mobile app store; firmware version in August app device settings

Verify Fix Applied:

Verify August app is latest version and Connect firmware updated through app settings

📡 Detection & Monitoring

Log Indicators:

Unusual Wi-Fi configuration attempts
Multiple failed connection attempts to August Connect

Network Indicators:

Unencrypted HTTP POST traffic containing 'AugustWifiDevice' class data during device setup

SIEM Query:

search 'AugustWifiDevice' OR 'August Connect' in HTTP traffic during non-standard hours

📊 Metadata

CVE ID: CVE-2018-20100

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-311

Published: January 2, 2019

Last Updated: November 21, 2024

🔗 References

https://dojo.bullguard.com/dojo-by-bullguard/blog/august-connect/ Third Party Advisory
https://dojo.bullguard.com/dojo-by-bullguard/blog/august-connect/ Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2018-20100, you might also want to check these: