August Smart Lock Pro + Connect Wi-Fi password disclosure via hardcoded key (CVE-2019-17098)

Assessment

CFSE Consequence Paths assesses August Smart Lock Pro + Connect Wi-Fi password disclosure via hardcoded key (CVE-2019-17098) at HIGH — the worst of 1 risk path (perception). The dominant consequence is exposure of sensitive data.

Vulnerability

August Smart Lock Pro + Connect Wi-Fi password disclosure via hardcoded key (CVE-2019-17098). Reported attack vector: Adjacent network (AV:A); attacker within Wi-Fi range during/around device provisioning.

CFSE Consequence Paths analysis

The vulnerability is decomposed into one risk path per terminal consequence. Each path is scored on its exposure (reachability × execution complexity) and the authority, perception, and physical/safety it reaches, together with its scale of reuse, scale of execution, and recoverability.

DATA_PRIVACY → HIGH

CPATH:1.0-candidate/TT:DATA_PRIVACY/RE:2/EC:3/EX:2/PH:0/DP:3/AT:2/CH:3/SR:4/SX:2/OR:3/EV:3/LS:HISTORICAL

Exposure EX=2 (reachability-bound) · bands PH=MONITOR · DP=HIGH · AT=ELEVATED → base HIGH · caps privacy-only cap → assessed HIGH.

• Terminal consequence is exposure of the home Wi-Fi password in plaintext via a hardcoded static AES key (ROT13-obfuscated) in the companion app. RE:2 because exploitation requires Wi-Fi radio proximity during the provisioning window (AV:A, adjacent/local-net, not internet-exposed). EC:3 standard researcher workflow: capture setup traffic, undo ROT13, apply static AES; reproducible but constrained by the setup-window opportunity. PH:0 the flaw does not actuate the lock and no direct safety effect. DP:3 the leaked Wi-Fi password is a credential / sensitive secret (C:H), not merely PII or telemetry;
• perception_feeds_action — false (no perception/world-model or safety-sensor state). AT:2 yields a bounded victim credential (the home Wi-Fi key) and a pivot to broader network authority, but does not grant lock control, admin/service authority, or any trust root. CH:3 the leaked Wi-Fi credential is a reusable cross-boundary bridge enabling lateral movement onto the home network and attacks on other devices;
• boundary_crossing — true (device/app/network boundaries crossed). SR:4 the AES key is hardcoded and shared across the entire app/product line (a single reusable secret / supply-chain-scope artifact). SX:2 despite the shared key, each exploitation still needs proximity and a live capture during a setup window, so execution is per-device proximity rather than fleet-scale remote. OR:3 remediation needs an app/firmware update to remove the embedded key and users must rotate Wi-Fi credentials; vendor stopped responding, but it does not require recall/signing-root rotation/fleet reprovision so recovery_needs_fleet_action=false. EV:3 reproduced by Bitdefender. LS HISTORICAL per case.
• active_exploitation — false (no in-the-wild exploitation reported).

Published baseline

• v3.1 6.5 MEDIUM — CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N — NVD
• v3.1 3.5 LOW — CVSS:3.1/AV:A/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N — Bitdefender via NVD

The published baseline above is retained for source review. The registry records the reachable consequence path, including deployment-specific cyber-physical consequence, physical/safety impact, scale, and recovery burden.

Sources

• NVD: https://nvd.nist.gov/vuln/detail/CVE-2019-17098