Challenge response can be retried indefinitely upon failure

Aleph Research Advisory

Identifier

CVE-2023-7006

Severity

High

Product

Sciener Smart Locks

Technical Details

The unlockKey value in a lock using Sciener firmware can be brute forced through repeated challenge requests, compromising the lock’s integrity. Challenge requests take place during the unlocking process, and contain a random integer between 0 and 65535. Challenge requests can be repeatedly prompted and responded to without any limitations, until the correct integer is discovered. Successfully completing the challenge request provides the unlockKey value that can be used to open the lock.

Timeline

07-Mar-24
: Public disclosure.
21-Dec-23
: CVE-2023-7006 assigned.
29-Oct-23
: Reported.

Posts

Say Friend and Enter: Digitally lockpicking an advanced smart lock (Part 2: discovered vulnerabilities)
By Lev Aronsky & Idan Strovinsky & Tomer Telem,
07-Mar 2024
Say Friend and Enter: Digitally lockpicking an advanced smart lock (Part 1: functional analysis)
By Lev Aronsky & Idan Strovinsky & Tomer Telem,
20-Feb 2024

Credit

Lev Aronsky (@levaronsky) of Aleph Research, HCL Technologies
Idan Strovinsky of Aleph Research, HCL Technologies
Tomer Telem of Aleph Research, HCL Technologies