Aleph Research Advisory

Severity: Critical Product: Sciener Smart Locks

Technical Details

The Kontrol Lux lock firmware update mechanism does not authenticate or validate firmware updates if passed to the lock through the Bluetooth Low Energy service. A message can be sent to the lock with a command to prepare for an update, rather than an unlock request. This allows an attacker within Bluetooth range to pass an arbitrary malicious firmware to the lock, compromising its integrity.

Timeline

• 07-Mar-24: Public disclosure.
• 21-Dec-23: CVE-2023-7017 assigned.
• 29-Oct-23: Reported.

Credit

• Lev Aronsky (@levaronsky) of Aleph Research, HCL Software
• Idan Strovinsky of Aleph Research, HCL Software
• Tomer Telem of Aleph Research, HCL Software