Multiple vulnerabilities in Sceiner firmware allow attackers to manipulate smart locks and open doors, Aleph Research reveals.
Based in China, Sceiner is a technology company that manufactures various smart locks that are sold worldwide both under its name and under other brands, to which Sceiner supplies the smart lock designs, firmware, and associated applications.
Two of the companies that sell Sceiner-developed smart locks under their brands are the Israeli-based Kontrol and Elock. Their products, Aleph Research says, are vulnerable due to issues identified in the Sceiner firmware and associated application.
The smart locks support control from a mobile application, can be unlocked using an integrated keypad, a fingerprint reader, RFID tag, and over the internet using a gateway device, and support peripherals, such as wireless keypads.
The interaction between the smart lock and the mobile application, the TTLock app developed by Sceiner, essentially involves sending an authorization command to the lock, which responds with a challenge, to which the app needs to provide a valid response (unlockKey) to unlock the door.
Issues identified in both the lock firmware and the mobile application, such as the use of a single AES key for communication, plaintext message processing, and the use of insecure communication protocol versions, allow attackers to obtain the information required to unlock doors in several ways.
The TTLock app can provide virtual keys to be used for limited periods of time. The AES key, the unlockKey, and the virtual key are stored in the app and can be extracted from it for later use and, because only the app applies limitations to the virtual key, it remains valid until the lock is reset.
Improper verification procedures allow attackers to impersonate the lock and mount a man-in-the-middle (MitM) attack to eavesdrop the communication with the TTLock app to obtain the encrypted initial authorization command and value of the unlockKey and to brute force the challenge.
The limitation of the attack is that it takes several seconds for the lock to process a challenge response and there are 65,536 possible unlockKey values, meaning that a successful attack could take several days.
However, because the communication protocol is susceptible to downgrade attacks and because the lock supports the processing of plaintext messages, an MitM attacker could obtain the unencrypted value of the unlockKey and then supply it to the lock as the challenge response.
Because the lock does not close the connection if the wrong challenge response is provided and does not limit the number of attempts a challenge response can be supplied to it, an attacker could enumerate through the 65,536 possible values in less than 40 minutes, significantly reducing the time required to brute force the challenge.
Aleph Research also discovered that the AES key used when pairing a lock and a wireless keypad is not unique, allowing an attacker to compromise other locks using the same firmware, that an attacker impersonating a gateway device can easily cause the server to use a new generated AES key, and that firmware updates are not authenticated or validated if supplied over Bluetooth LE.
“These vulnerabilities allow attackers with physical, adjacent, or Bluetooth connection proximity to the lock access of various capabilities to compromise the lock integrity, without victim knowledge or interaction. This results in the locks functionality being null,” reads an advisory from the CERT Coordination Center (CERT/CC) at Carnegie Mellon University.
The identified issues, tracked as CVE-2023-7003 through CVE-2023-7007, CVE-2023-7009, CVE-2023-7017, and CVE-2023-6960, impact Kontrol Lux devices running firmware versions 6.5.x to 6.5.07, Gateway G2 products running firmware version 6.0.0, and the TTLock app version 6.4.5.
“There is no software solution for these vulnerabilities, only a potential work-around. By disabling various functions related to the Bluetooth capability of locks using Sciener firmware, several of the attacks can be prevented. However, as the locks are designed with the intention of utilization with the TTLock App, this may not be a practical solution for most users,” CERT/CC says.
The impacted vendors were notified in November 2023, but have not provided a response, CERT/CC notes.
Related: Nuki Smart Lock Vulnerabilities Allow Hackers to Open Doors
Related: Nexx Ignores Vulnerabilities Allowing Hackers to Remotely Open Garage Doors
Related: Researchers Devise New Type of Bluetooth LE Relay Attacks