CVE-2023-7009 identifies a critical security vulnerability in the Sciener Kontrol Lux smart lock product line, specifically affecting version 6.5.x. The root cause is the lack of encryption for sensitive data transmitted over Bluetooth Low Energy (BLE). Some Sciener-based locks accept and process plaintext messages under 16 bytes as if they were encrypted, violating secure communication principles (CWE-311: Missing Encryption of Sensitive Data and CWE-319: Cleartext Transmission of Sensitive Information). This flaw allows an unauthenticated attacker within BLE range to send crafted malicious commands directly to the lock without needing to decrypt or authenticate, effectively bypassing security controls. The vulnerability impacts the lock’s integrity by enabling unauthorized command execution, potentially unlocking or manipulating the device. The CVSS v3.1 score of 8.2 reflects the network attack vector, no required privileges or user interaction, and high impact on integrity with limited confidentiality impact and no availability impact. No patches are currently available, and no exploits have been observed in the wild, but the vulnerability presents a significant risk given the widespread use of BLE in smart locks and the critical nature of physical security devices. The vulnerability was published on March 15, 2024, and assigned by CERT-CC.

For European organizations, this vulnerability poses a substantial risk to physical security infrastructure relying on Sciener Kontrol Lux locks. Unauthorized access to facilities, data centers, or residential properties could occur if attackers exploit this flaw, leading to potential theft, espionage, or disruption of operations. The lack of encryption and authentication means attackers can operate remotely within BLE range, which is typically up to 10-30 meters, making attacks feasible in urban or densely populated environments. Sectors such as hospitality, corporate offices, smart homes, and government buildings using these locks are particularly vulnerable. The integrity compromise could undermine trust in IoT security and result in regulatory scrutiny under GDPR if personal data or physical security is breached. Although availability is not directly affected, the potential for unauthorized entry elevates overall risk. The absence of known exploits provides a window for proactive mitigation but also indicates the need for vigilance.

1. Immediate mitigation should include disabling Bluetooth Low Energy communication on affected locks where feasible until a vendor patch is released. 2. Network segmentation and physical access controls should be enhanced to limit attacker proximity to BLE signals. 3. Monitor BLE traffic for anomalous or unauthorized commands using specialized IoT security tools or BLE sniffers. 4. Engage with Sciener for firmware updates or patches addressing this vulnerability and apply them promptly once available. 5. Implement multi-factor authentication or secondary verification mechanisms for physical access where possible to reduce reliance on vulnerable locks. 6. Educate facility managers and security personnel about the risks and signs of exploitation attempts. 7. Consider replacing vulnerable locks with alternatives that enforce strong encryption and authentication for BLE communications if patches are delayed. 8. Conduct regular security audits of IoT devices and maintain an inventory of all smart locks to ensure timely vulnerability management.