CVE-2020-9059

Vulnerability

Z-Wave devices based on Silicon Labs 500 series chipsets that use S0 authentication are vulnerable to uncontrolled resource consumption, which can lead to battery exhaustion. For example, the Schlage BE468 version 3.42 door lock is confirmed vulnerable and fails open when the battery level is low [1][2]. This vulnerability is cataloged as CVE-2020-9059 and was discovered through the VFuzz fuzzing approach [4].

Exploitation

An attacker within Z-Wave radio range can send malicious Z-Wave packets to the vulnerable device. The exploit does not require prior authentication or user interaction; the attacker only needs proximity to the target device to transmit specially crafted frames that trigger excessive power consumption [1][2]. The exact attack sequence involves injecting packets that force the device to process them repeatedly, exhausting the battery.

Impact

Successful exploitation depletes the device’s battery, causing a denial of service. For door locks such as the Schlage BE468, low battery results in the lock failing open, which could allow unauthorized physical access [1][2]. The attack does not require intercepting or replaying traffic, but the controlled resource consumption directly impacts the availability and physical security of the device.

Mitigation

Silicon Labs recommends upgrading to hardware that supports S2 authentication and encryption, such as newer 500 or 700 series chipsets [2][3]. For devices that cannot be upgraded, replacing the device with a newer model that supports S2 is the advised mitigation. No software patch has been released for the Schlage BE468 version 3.42; the fix is hardware-based. The vulnerability is not listed on CISA’s Known Exploited Vulnerabilities (KEV) catalog as of the publication date.