AuntyFey Smart Combination Lock Bluetooth Low Energy Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in the AuntyFey Smart Combination Lock, specifically in the firmware versions available as of January 6, 2026. This vulnerability allows an unauthenticated attacker within Bluetooth Low Energy (BLE) range to disrupt the lock's functionality by repeatedly initiating BLE connections. These sustained connection attempts interfere with the keypad authentication process, forcing the device into lockout states every 10 to 15 seconds. As a result, legitimate users are unable to unlock the device.

Impact

Exploitation of this vulnerability causes the lock to become unresponsive to legitimate input, with the device entering a lockout state that prevents unlocking. This disruption is triggered by the interference of repeated BLE connection attempts, not by invalid PIN entries. The vulnerability affects both default and custom lock configurations.

Reproduction

The vulnerability can be reproduced by using a BLE-capable device to send repeated connection requests to the lock's static BLE MAC address, which can be obtained after a physical button press on the lock. This can be automated with a Python script using the 'bleak' library, creating a loop that continuously initiates connection attempts. The lock will interrupt any ongoing keypad input and force a lockout state, effectively rendering it unusable.