CVE-2023-7017
Description
Sciener smart locks accept unauthenticated firmware updates over Bluetooth Low Energy, allowing an attacker to fully compromise the device.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Sciener smart locks accept unauthenticated firmware updates over Bluetooth Low Energy, allowing an attacker to fully compromise the device.
Vulnerability
The firmware update mechanism in Sciener-based locks lacks authentication or validation for updates delivered over Bluetooth Low Energy (BLE). By sending a challenge request with a command to prepare for an update (instead of an unlock request), an attacker can trigger the lock to accept arbitrary firmware without any integrity check or cryptographic signature [1][2].
Exploitation
An attacker only needs BLE proximity to the lock; no prior authentication or valid virtual key is required. The lock's BLE service responds to challenge frames, and a specially crafted message can instruct the lock to enter firmware update mode. The official description notes that the update command is invoked through the same BLE channel used for normal unlock operations, making the attack straightforward once the protocol is understood [1].
Impact
Successful exploitation gives the attacker full control over all lock functions: they can unlock, lock, or permanently disable the device, and potentially use it as a pivot to compromise other devices on the user's network (e.g., via a gateway). Since the update is entirely unauthenticated, the attacker can install malicious firmware that impersonates normal behavior while exfiltrating data or opening the door on command [2].
Mitigation
As of publication (March 2024), Sciener has not released a patch for this vulnerability. The CERT/CC note lists CVE-2023-7017 as unpatched and recommends that users disable BLE on the lock when not needed, or replace the lock with a vendor that supports signed firmware updates [2]. The vulnerability is not yet listed in CISA's Known Exploited Vulnerabilities catalog.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The lock's firmware update mechanism does not authenticate or validate firmware updates received over the Bluetooth Low Energy service."
Attack vector
An attacker sends a challenge request to the lock via BLE with a command to prepare for a firmware update rather than an unlock request. The lock's firmware update mechanism does not authenticate or validate firmware updates passed through the BLE service [ref_id=1]. Because the lock does not close the connection or limit attempts after a wrong challenge response, the attacker can repeatedly send unencrypted challenge responses (leveraging the plaintext message processing flaw) to guess the 16-bit challenge value, with a median time of about 20 minutes to succeed [ref_id=1].
Affected code
The advisory does not specify exact function names or file paths for the firmware update vulnerability. The research describes the lock's Bluetooth Low Energy service processing commands, including a "prepare for an update" command that can be sent instead of an unlock request [ref_id=1].
What the fix does
The advisory does not provide a patch or specific remediation. The researcher recommends that the lock should authenticate and validate any firmware update payload received over BLE, and that the lock should enforce rate-limiting or close the connection after failed challenge attempts [ref_id=1]. No vendor fix has been published in the supplied materials.
Preconditions
- networkAttacker must be within Bluetooth Low Energy range of the target lock.
- authNo authentication or prior pairing is required; the lock accepts commands from any BLE device.
- configThe lock must be powered on and advertising its BLE service.
Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.