The firmware of the Kontrol Lux lock can be updated w/o AuthZ/AuthC

Aleph Research Advisory

Identifier

CVE-2023-7017

Severity

Critical

Product

Sciener Smart Locks

Technical Details

The Kontrol Lux lock firmware update mechanism does not authenticate or validate firmware updates if passed to the lock through the Bluetooth Low Energy service. A message can be sent to the lock with a command to prepare for an update, rather than an unlock request. This allows an attacker within Bluetooth range to pass an arbitrary malicious firmware to the lock, compromising its integrity.

Timeline

07-Mar-24
: Public disclosure.
21-Dec-23
: CVE-2023-7017 assigned.
29-Oct-23
: Reported.

Posts

Say Friend and Enter: Digitally lockpicking an advanced smart lock (Part 2: discovered vulnerabilities)
By Lev Aronsky & Idan Strovinsky & Tomer Telem,
07-Mar 2024
Say Friend and Enter: Digitally lockpicking an advanced smart lock (Part 1: functional analysis)
By Lev Aronsky & Idan Strovinsky & Tomer Telem,
20-Feb 2024

Credit

Lev Aronsky (@levaronsky) of Aleph Research, HCL Technologies
Idan Strovinsky of Aleph Research, HCL Technologies
Tomer Telem of Aleph Research, HCL Technologies