BSI warns of insecure wireless door locks from Abus
The BSI warns that the HomeTec Pro CFA3000 and the associated remote control are unsafe. Unauthorized persons could unlock the lock.
The Federal Office for Information Security (BSI) warns against using a specific wireless door lock from Abus. The BSI reports that the product set consisting of the HomeTec Pro CFA3000 wireless door lock drive and the associated CFF3000 wireless remote control have a vulnerability that the manufacturer has confirmed. This vulnerability could allow attackers to lock or unlock the door lock from close range and gain access to buildings, offices, or apartments or houses.
The BSI recommends that anyone who owns an Abus wireless door lock and thinks they are affected should replace the door lock and contact the manufacturer. The security gap cannot be remedied in this product generation, and there are no update options for customers. The product in question is a discontinued model that, according to Abus, has been replaced by a successor generation since March 2021, the BSI continues. However, the successor model does not differ significantly from the affected devices in terms of appearance, not even in terms of its name. “In the absence of specific information, the date of purchase or manufacture of a corresponding device is not a reliable indicator of whether it is affected by the vulnerability.”
Best to replace
The successor model can be recognized, among other things, by a Bluetooth logo on the product or by means of a QR code card that comes with the product, Abus said. “Without sufficient public information from the manufacturer, however, users of the product cannot carry out a sufficient individual assessment and assessment of the risk situation for their application of the device,” writes the BSI.
The vulnerability was reported to the BSI by security researchers in a Coordinated Vulnerability Disclosure (CVD) process. Other smart door locks were not examined. In this warning, the BSI refers to paragraph 7 of the law on the Federal Office for Information Security. According to this, the office issues a warning if “the manufacturer takes no or insufficient measures against the threat emanating from a security gap that has become known,” reports the BSI. Something like this can also happen during the ongoing CVD process, “if irreconcilable differences arise between the manufacturer and the BSI, which are usually based on the BSI assessing the manufacturer’s measures as insufficient”.