The TTLock app does not properly verify that it is connected to a real lock

Aleph Research Advisory

Identifier

CVE-2023-7004

Severity

Moderate

Product

Sciener Smart Locks

Technical Details

The TTLock App does not employ proper verification procedures to ensure that it is communicating with the expected device. This can be utilized by a threat actor who introduces a device that spoofs the MAC address of the lock, allowing for further exploits, such as compromising the unlockKey value.

Timeline

29-Oct-23
: Reported
21-Dec-23
: CVE-2023-7004 assigned
07-Mar-24
: Public disclosure

Credit

aronsky of Aleph Research, HCL Software
idan-strovinsky of Aleph Research, HCL Software
tomer-telem of Aleph Research, HCL Software