Aleph Research Advisory

Severity: High Product: Sciener Smart Locks

Technical Details

The TTLock App supports the creation of virtual keys and settings. They virtual keys are intended to be distributed to other individuals through the TTLock app, for unlocking and locking the lock. They can also be set to only be valid for a certain period of time. Deletion of these keys only occurs client side in the TTLock app, with the appropriate key information persisting within the associated lock. If an attacker acquires one of these keys, they can utilize it to unlock the lock after its intended deletion or invalidation.

Timeline

• 07-Mar-24: Public disclosure.
• 21-Dec-23: CVE-2023-6960 assigned.
• 29-Oct-23: Reported.

Credit

• Lev Aronsky (@levaronsky) of Aleph Research, HCL Software
• Idan Strovinsky of Aleph Research, HCL Software
• Tomer Telem of Aleph Research, HCL Software