The firmware of the Kontrol Lux lock can be updated w/o AuthZ/AuthC

Aleph Research Advisory

Identifier

CVE-2023-7017

Severity

Critical

Product

Sciener Smart Locks

Technical Details

The Kontrol Lux lock firmware update mechanism does not authenticate or validate firmware updates if passed to the lock through the Bluetooth Low Energy service. A message can be sent to the lock with a command to prepare for an update, rather than an unlock request. This allows an attacker within Bluetooth range to pass an arbitrary malicious firmware to the lock, compromising its integrity.

Timeline

29-Oct-23
: Reported
21-Dec-23
: CVE-2023-7017 assigned
07-Mar-24
: Public disclosure

Credit

aronsky of Aleph Research, HCL Software
idan-strovinsky of Aleph Research, HCL Software
tomer-telem of Aleph Research, HCL Software