ID

VAR-202407-2539

CVE

CVE-2020-11921

TITLE

Lush 2 Missing Encryption

DESCRIPTION

An issue was discovered in Lush 2 through 2020-02-25. Due to the lack of Bluetooth traffic encryption, it is possible to hijack an ongoing Bluetooth connection between the Lush 2 and a mobile phone. This allows an attacker to gain full control over the device. This attack hijacks the connection, even when someone else was actively using the device before. Note that the user of the device remains capable of simply shutting it down. In order to exploit this vulnerability, the attacker must be present in a certain radius in which the Bluetooth connection can be intercepted. This attack vector also requires specific hardware like the Micro:bit. ------------------------------------------ [Vulnerability Type] Incorrect Access Control ------------------------------------------ [Vendor of Product] Lovense ------------------------------------------ [Affected Product Code Base] Lush 2 - Cannot be determined. ------------------------------------------ [Affected Component] Lush 2, Bluetooth interface ------------------------------------------ [Attack Type] Local ------------------------------------------ [CVE Impact Other] Take over normal device functionality from the original owner. ------------------------------------------ [Reference] N/A ------------------------------------------ [Has vendor confirmed or acknowledged the vulnerability?] true ------------------------------------------ [Discoverer] Willem Westerhof, Jasper Nota, Roan Engelbert, Ilona de Bruin from Qbit cyber security in assignment of the Consumentenbond. Use CVE-2020-11921

CVSS

PROBLEMTYPE DATA

EXTERNAL IDS

REFERENCES

CREDITS

Willem Westerhof | Secura

SOURCES

LAST UPDATE DATE

2025-01-30T22:36:12.498000+00:00

SOURCES UPDATE DATE

SOURCES RELEASE DATE