CVE-2020-8790 – CVE-2020-8790 allows remote attackers to brute-... (How to Fix)

Q: What is the severity of CVE-2020-8790?

CVE-2020-8790 has a CVSS score of 9.8 (CRITICAL). CVE-2020-8790 allows remote attackers to brute-force weak passwords on the OKLOK mobile app for Fingerprint Bluetooth Padlock FB50, potentially gaining unauthorized access to the lock system. This affects users of the OKLOK app version 3.1.1 paired with FB50 padlock firmware 2.3.

📋 TL;DR

CVE-2020-8790 allows remote attackers to brute-force weak passwords on the OKLOK mobile app for Fingerprint Bluetooth Padlock FB50, potentially gaining unauthorized access to the lock system. This affects users of the OKLOK app version 3.1.1 paired with FB50 padlock firmware 2.3.

💻 Affected Systems

Products:

OKLOK mobile companion app
Fingerprint Bluetooth Padlock FB50

Versions: OKLOK app 3.1.1 with FB50 padlock firmware 2.3

Operating Systems: Android, iOS

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in the default configuration with weak password requirements and no authentication attempt limits.

📦 What is this software?

Oklok by Oklok Project

View all CVEs affecting Oklok →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of all connected padlocks, allowing physical access to secured locations and potential theft or sabotage.

🟠

Likely Case

Unauthorized access to individual padlocks through automated password guessing attacks.

🟢

If Mitigated

Limited to failed login attempts with no successful breaches if strong passwords and rate limiting are enforced.

🌐 Internet-Facing: HIGH - The mobile app communicates via Bluetooth but can be attacked remotely through proximity or relay attacks.

🏢 Internal Only: LOW - The vulnerability requires proximity to the physical padlock via Bluetooth.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Proof-of-concept code is available on GitHub, making exploitation straightforward for attackers with basic skills.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: No official vendor advisory found

Restart Required: No

Instructions:

No official patch available. Check app stores for updated versions of OKLOK app and manufacturer website for FB50 firmware updates.

🔧 Temporary Workarounds

Disable Bluetooth when not in use

all

Prevents remote attacks by disabling Bluetooth connectivity to the padlock.

Use strong unique password

all

Implement complex passwords with length >12 characters including special characters to resist brute force.

🧯 If You Can't Patch

Discontinue use of vulnerable padlock/app combination for sensitive applications
Implement physical security monitoring and alarms as compensating controls

🔍 How to Verify

Check if Vulnerable:

Check OKLOK app version in app settings and FB50 firmware version via manufacturer documentation.

Check Version:

No standard command - check within mobile app settings and padlock documentation

Verify Fix Applied:

Verify updated app version >3.1.1 and test authentication attempt limits.

📡 Detection & Monitoring

Log Indicators:

Multiple failed authentication attempts from unknown devices
Unusual Bluetooth connection patterns

Network Indicators:

Bluetooth scanning activity near padlock locations
Unusual Bluetooth MAC addresses attempting connections

SIEM Query:

No standard SIEM query available for Bluetooth-based attacks

📊 Metadata

CVE ID: CVE-2020-8790

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-307

Published: May 4, 2020

Last Updated: November 21, 2024

🔗 References

https://github.com/fierceoj/ownklok Exploit,Third Party Advisory
https://github.com/fierceoj/ownklok Exploit,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2020-8790, you might also want to check these: