Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

IoT Security

Unpatched Sceiner Smart Lock Vulnerabilities Allow Hackers to Open Doors

Multiple vulnerabilities in Sceiner firmware allow attackers to compromise smart locks and open doors.

Multiple vulnerabilities in Sceiner firmware allow attackers to manipulate smart locks and open doors, Aleph Research reveals.

Based in China, Sceiner is a technology company that manufactures various smart locks that are sold worldwide both under its name and under other brands, to which Sceiner supplies the smart lock designs, firmware, and associated applications.

Two of the companies that sell Sceiner-developed smart locks under their brands are the Israeli-based Kontrol and Elock. Their products, Aleph Research says, are vulnerable due to issues identified in the Sceiner firmware and associated application.

The smart locks support control from a mobile application, can be unlocked using an integrated keypad, a fingerprint reader, RFID tag, and over the internet using a gateway device, and support peripherals, such as wireless keypads.

The interaction between the smart lock and the mobile application, the TTLock app developed by Sceiner, essentially involves sending an authorization command to the lock, which responds with a challenge, to which the app needs to provide a valid response (unlockKey) to unlock the door.

Issues identified in both the lock firmware and the mobile application, such as the use of a single AES key for communication, plaintext message processing, and the use of insecure communication protocol versions, allow attackers to obtain the information required to unlock doors in several ways.

The TTLock app can provide virtual keys to be used for limited periods of time. The AES key, the unlockKey, and the virtual key are stored in the app and can be extracted from it for later use and, because only the app applies limitations to the virtual key, it remains valid until the lock is reset.

Improper verification procedures allow attackers to impersonate the lock and mount a man-in-the-middle (MitM) attack to eavesdrop the communication with the TTLock app to obtain the encrypted initial authorization command and value of the unlockKey and to brute force the challenge.

Advertisement. Scroll to continue reading.

The limitation of the attack is that it takes several seconds for the lock to process a challenge response and there are 65,536 possible unlockKey values, meaning that a successful attack could take several days.

However, because the communication protocol is susceptible to downgrade attacks and because the lock supports the processing of plaintext messages, an MitM attacker could obtain the unencrypted value of the unlockKey and then supply it to the lock as the challenge response.

Because the lock does not close the connection if the wrong challenge response is provided and does not limit the number of attempts a challenge response can be supplied to it, an attacker could enumerate through the 65,536 possible values in less than 40 minutes, significantly reducing the time required to brute force the challenge.

Aleph Research also discovered that the AES key used when pairing a lock and a wireless keypad is not unique, allowing an attacker to compromise other locks using the same firmware, that an attacker impersonating a gateway device can easily cause the server to use a new generated AES key, and that firmware updates are not authenticated or validated if supplied over Bluetooth LE.

“These vulnerabilities allow attackers with physical, adjacent, or Bluetooth connection proximity to the lock access of various capabilities to compromise the lock integrity, without victim knowledge or interaction. This results in the locks functionality being null,” reads an advisory from the CERT Coordination Center (CERT/CC) at Carnegie Mellon University.

The identified issues, tracked as CVE-2023-7003 through CVE-2023-7007, CVE-2023-7009, CVE-2023-7017, and CVE-2023-6960, impact Kontrol Lux devices running firmware versions 6.5.x to 6.5.07, Gateway G2 products running firmware version 6.0.0, and the TTLock app version 6.4.5.

“There is no software solution for these vulnerabilities, only a potential work-around. By disabling various functions related to the Bluetooth capability of locks using Sciener firmware, several of the attacks can be prevented. However, as the locks are designed with the intention of utilization with the TTLock App, this may not be a practical solution for most users,” CERT/CC says.

The impacted vendors were notified in November 2023, but have not provided a response, CERT/CC notes.

Related: Nuki Smart Lock Vulnerabilities Allow Hackers to Open Doors

Related: Nexx Ignores Vulnerabilities Allowing Hackers to Remotely Open Garage Doors

Related: Researchers Devise New Type of Bluetooth LE Relay Attacks

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

People on the Move

Former DoD CISO Jack Wilmer has been named CEO of defensive and offensive cyber solutions provider SIXGEN.

Certificate lifecycle management firm Sectigo has hired Jason Scott as its CISO.

The State of Vermont has appointed John Toney as the state’s new CISO.

More People On The Move

Expert Insights

Related Content

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.

IoT Security

An innocent-looking portable speaker can hide a hacking device that launches CAN injection attacks, which have been used to steal cars.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

ICS/OT

As smart cities evolve with more and more integrated connected services, cybersecurity concerns will increase dramatically.

IoT Security

Hikvision patches CVE-2023-28808, a critical authentication bypass vulnerability that exposes video data stored on its Hybrid SAN and cluster storage products.

IoT Security

Researchers at offensive hacking shop Synacktiv demonstrated successful exploit chains and were able to “fully compromise” Tesla’s newest electric car and take top billing...

Cybersecurity Funding

Internet of Things (IoT) and Industrial IoT security provider Shield-IoT this week announced that it has closed a $7.4 million Series A funding round,...