Critical Vulnerabilities Found in Popular Smart Locks

Kontrol vulnerabilities

Smart locks promise convenience and a futuristic feel, but recent research exposes a dark side to this technology. Kontrol and Elock locks, both utilizing firmware from the company Sciener, have been found riddled with security vulnerabilities. These flaws leave the locks open to hacking, potentially giving attackers the ability to unlock your doors – or worse – without your knowledge.

Kontrol vulnerabilities

At the heart of these risks are several identified vulnerabilities, notably marked by their CVE identifiers, which expose both the Kontrol and Elock locks to various methods of cyber manipulation. These vulnerabilities range from brute force attacks exploiting the ‘unlockKey’ character to sophisticated impersonation and encryption downgrade attacks.

  1. CVE-2023-7006: This vulnerability exposes the ‘unlockKey’ character to brute force attacks. The process involves bombarding the lock with challenge requests, each containing a random integer, until the correct one is found, thus compromising the lock’s integrity.
  2. CVE-2023-7005: A deviously crafted message can downgrade the communication encryption protocol with the TTLock App, allowing unauthorized access by disclosing the unlockKey in plaintext.
  3. CVE-2023-7003: The reuse of an AES key in the pairing process with wireless keypads across different locks reveals a startling lapse in security, offering a golden key to any lock supporting this feature.
  4. CVE-2023-6960: Virtual keys, despite their convenience, linger within the lock even after deletion from the TTLock App, awaiting exploitation by an astute attacker.
  5. CVE-2023-7004 & CVE-2023-7007: Both these vulnerabilities highlight a significant verification oversight, allowing threat actors to masquerade as legitimate devices or GatewayG2 units, thus enabling them to intercept or manipulate critical security parameters.
  6. CVE-2023-7009: A bug in the Kontrol Lux lock’s armor allows it to process unencrypted malicious commands over Bluetooth Low Energy, undermining its security.
  7. CVE-2023-7017: Perhaps most alarming is the Kontrol Lux lock’s firmware update mechanism’s lack of authentication, permitting the installation of malicious firmware, and thereby granting attackers full control.

These aren’t just ways to unlock your home. Compromised smart locks can serve as gateways for larger attacks. Imagine hackers using your lock to gain entry into your home network, stealing data, or launching attacks on other connected devices. Companies using these locks are equally exposed.

Affected versions:

  • Kontrol Lux lock, firmware versions 6.5.x to 6.5.07
  • Gateway G2, firmware version 6.0.0
  • TTLock App, version 6.4.5

Sadly, no software update fixes all of this. Disabling Bluetooth features might block some attacks but renders your lock less “smart.” If you own a Kontrol or Elock, the safest course of action is likely to replace it with a lock from a brand with a proven commitment to security.