Extract Firmware Key
August utilizes AES to encrypt communications between a user's phone and lock. This encryption is used to both protect the traffic from eavesdropping and tampering while at the same time, authenticating the user. Any user of type 'owner' (also referred to as 'superuser') are provided offline encryption keys which can be used to communicate with the lock. If a user is not of type 'owner' or has not been yet been provided an offline key they must rely on cipher text between the lock and August's web server in order to establish a session key. In these scenarios the lock and August’s web servers both utilize a firmware key to encrypt and decrypt messages. This key is appears to be unique for each lock.
The firmware key is a special key in the August ecosystem. Only sessions that have been established with the firmware key are able to enroll new offline keys. If the firmware key is corrupted or lost it is very difficult if not impossible to enroll any new offline keys. For this reason changing the firmware key is very risky and unlikely to ever be done after a lock leaves the factory.
If an attacker gains knowledge of the firmware key for any lock it is very likely they would gain permanent access to the lock. As a result it is very important that non-owners never be allowed to access or derive the firmware key for a given August lock.
Unfortunately for owners of the August lock, August has provided a web-service which leaks the firmware key. When a new version of firmware is available, the phone application automatically downloads and installs it. To do this the August application makes a single request to https://api-production.august.com/locks/{lockid}/firmware/ti/{version}. The result of this request is a gzipped firmware image followed by 68 bytes of configuration data specific to the lock. This configuration data include the firmware key of the specified lock.
The API to update firmware is accessible not only to owners of the lock but any guest who has not been restricted in what times of day they are allowed to open the lock. Any person who has been granted vanilla guest access to a home with an August lock can easily gain irrevocable access via the firmware key.
The screenshot below is of a firmware key extracted with this technique by a guest user.
