March 8, 2024 at 08:03AM
Multiple vulnerabilities in Sceiner firmware enable attackers to exploit smart locks, compromising the integrity of devices supplied under Sceiner’s name and other brands such as Kontrol and Elock, as revealed by Aleph Research. The vulnerabilities impact products using firmware versions 6.5.x to 6.5.07 and the TTLock app version 6.4.5, with no software solution currently available.
Based on the meeting notes, there are several critical takeaways for our action plan:
1. Sceiner’s smart locks, sold under various brands globally, have been found to have vulnerabilities in their firmware and associated applications, affecting products of companies such as Kontrol and Elock in Israel.
2. The vulnerabilities allow attackers to manipulate the smart locks and gain unauthorized access through various methods, including exploiting flaws in the communication protocols, encryption, and verification procedures.
3. These vulnerabilities have been formally tracked as CVE-2023-7003 through CVE-2023-7007, CVE-2023-7009, CVE-2023-7017, and CVE-2023-6960, impacting specific firmware versions and the TTLock app.
4. The CERT Coordination Center (CERT/CC) at Carnegie Mellon University has issued an advisory, noting that the impacted vendors were notified in November 2023 but have not provided a response.
5. While there is no software solution available to address these vulnerabilities, CERT/CC suggests potential workarounds, such as disabling certain functions related to the Bluetooth capability of the locks. However, this may not be practical for most users who intend to use the locks with the TTLock app.
6. It’s essential for our company, as a distributor of Sceiner-developed smart locks, to take immediate action in reviewing and addressing these vulnerabilities to ensure the security and integrity of our products and the safety of our customers.
These takeaways will guide our next steps in addressing the vulnerabilities and ensuring the security of our products.