CVE-2023-6960 is a vulnerability identified in the Sciener TTLock App version 6.4.5, related to improper handling of virtual key expiration and deletion. The core issue is that virtual keys and associated settings are only deleted on the client side, meaning that if an attacker or user preserves the key data locally, they can continue to access the lock even after the key was intended to be revoked or expired. This represents a use of a key past its expiration date (CWE-324) and a failure to properly synchronize key revocation between client and server (CWE-603). The vulnerability does not require authentication or user interaction, and the attack vector is network-based, making it remotely exploitable. The CVSS v3.1 score of 7.5 reflects a high severity due to the potential for unauthorized integrity violations—specifically, unauthorized physical access to premises secured by TTLock devices. No known exploits have been reported in the wild yet, but the risk remains significant given the widespread use of TTLock in smart home and enterprise IoT environments. The vulnerability highlights a design flaw where the server does not enforce key expiration or deletion, relying solely on client-side enforcement, which can be bypassed by preserving key data. This undermines the security model of the smart lock system, potentially allowing persistent unauthorized access. The lack of patch links indicates that a fix may not yet be publicly available, emphasizing the need for immediate mitigation steps by users and organizations relying on this technology.

For European organizations, the impact of CVE-2023-6960 is primarily on the integrity of physical security controls. Organizations using the TTLock App to manage access to offices, warehouses, or sensitive areas risk unauthorized entry if virtual keys are not properly revoked server-side. This could lead to theft, espionage, or sabotage, especially in sectors like finance, manufacturing, healthcare, and critical infrastructure. The vulnerability could also undermine trust in IoT-based access control solutions, potentially causing operational disruptions and financial losses. Since the vulnerability allows continued access without authentication or user interaction, attackers who have previously obtained key data can maintain persistent access indefinitely. This is particularly concerning for multi-tenant buildings, co-working spaces, or shared facilities common in European urban centers. Additionally, the lack of server-side enforcement complicates incident response and key management, increasing the risk of insider threats or lost/stolen devices being exploited. The absence of known exploits in the wild reduces immediate risk but does not diminish the potential for future attacks, especially as threat actors increasingly target IoT devices.

To mitigate CVE-2023-6960, European organizations should: 1) Immediately audit all virtual keys issued via the TTLock App and revoke any keys that are no longer needed, ensuring that key deletion is confirmed on both client and server sides. 2) Limit the distribution of virtual keys and enforce strict key lifecycle management policies, including periodic key rotation and expiration enforced server-side. 3) Monitor network traffic and access logs for anomalous or unauthorized access attempts to TTLock devices. 4) Where possible, disable remote key sharing features until a vendor patch is available. 5) Engage with Sciener to obtain information on patches or updates addressing this vulnerability and apply them promptly once released. 6) Consider deploying additional physical security controls (e.g., traditional locks or secondary authentication mechanisms) to complement TTLock devices. 7) Educate users and administrators on the risks of preserving virtual key data and enforce policies preventing local key data retention. 8) Implement network segmentation to isolate IoT devices and reduce attack surface. These steps go beyond generic advice by focusing on key lifecycle enforcement, monitoring, and compensating controls until a vendor fix is available.