CVE-2019-13143 – This CVE describes an HTTP parameter pollution ... (How to Fix)

Q: What is the severity of CVE-2019-13143?

CVE-2019-13143 has a CVSS score of 9.8 (CRITICAL). This CVE describes an HTTP parameter pollution vulnerability in the Shenzhen Dragon Brothers Fingerprint Bluetooth Round Padlock FB50 that allows complete lock takeover. Attackers can unbind the legitimate owner and bind themselves using easily obtainable user ID, name, and MAC address information. All users of the FB50 2.3 smart lock are affected.

📋 TL;DR

This CVE describes an HTTP parameter pollution vulnerability in the Shenzhen Dragon Brothers Fingerprint Bluetooth Round Padlock FB50 that allows complete lock takeover. Attackers can unbind the legitimate owner and bind themselves using easily obtainable user ID, name, and MAC address information. All users of the FB50 2.3 smart lock are affected.

💻 Affected Systems

Products:

Shenzhen Dragon Brothers Fingerprint Bluetooth Round Padlock FB50

Versions: 2.3

Operating Systems: Android, iOS

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability exists in the lock's API implementation and affects all devices running version 2.3. Mobile applications for both Android and iOS contain the vulnerable APIs.

📦 What is this software?

Fb50 Firmware by Shenzhen Dragon Brothers

View all CVEs affecting Fb50 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete physical security compromise where attackers permanently take control of smart locks, potentially gaining unauthorized access to secured premises.

🟠

Likely Case

Attackers transfer lock ownership to themselves, rendering locks inaccessible to legitimate owners and requiring physical lock replacement.

🟢

If Mitigated

With proper network segmentation and access controls, impact is limited to isolated smart lock systems without broader network compromise.

🌐 Internet-Facing: HIGH - The vulnerability can be exploited remotely via APIs accessible through mobile applications, and required information (MAC addresses) can be obtained without authentication.

🏢 Internal Only: MEDIUM - While still exploitable within internal networks, attackers would need proximity or network access to discover and target specific locks.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires only the lock's MAC address, which can be obtained through Bluetooth scanning or API enumeration. No authentication is needed for the ownership transfer attack.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: No known vendor advisory

Restart Required: No

Instructions:

No official patch is available. Users should contact Shenzhen Dragon Brothers for firmware updates or replacement options.

🔧 Temporary Workarounds

Disable Bluetooth and Network Connectivity

all

Physically disable or disconnect the lock from Bluetooth and network access to prevent remote exploitation

Network Segmentation

all

Isolate smart lock devices on separate network segments with strict firewall rules

🧯 If You Can't Patch

Replace affected locks with updated models from different vendors
Implement physical security controls as primary protection and treat smart lock as secondary convenience feature

🔍 How to Verify

Check if Vulnerable:

Check device firmware version via mobile app settings. If version is 2.3, the device is vulnerable.

Check Version:

Check within the Dragon Brothers mobile application settings under device information

Verify Fix Applied:

No verification method available as no official fix exists. Consider device replacement as verification of mitigation.

📡 Detection & Monitoring

Log Indicators:

Unusual ownership transfer events
Multiple failed binding attempts
API calls to unbind/bind endpoints from unknown sources

Network Indicators:

Unusual Bluetooth pairing requests
API calls to lock management endpoints from unexpected IPs
MAC address enumeration attempts

SIEM Query:

No standard SIEM query available due to proprietary nature of lock APIs

📊 Metadata

CVE ID: CVE-2019-13143

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-20

Published: August 6, 2019

Last Updated: November 21, 2024

🔗 References

http://blog.securelayer7.net/fb50-smart-lock-vulnerability-disclosure/ Exploit,Third Party Advisory
http://blog.securelayer7.net/fb50-smart-lock-vulnerability-disclosure/ Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-13143, you might also want to check these: