Kelly Leuschner and Thorsten Rosendahl discovered this vulnerability.

Cisco Talos researchers recently discovered a vulnerability in the Lenovo Smart Clock Essential that could allow an attacker to completely take over the device if they have access to the network the clock is connected to.

TALOS-2023-1692 (CVE-2023-0896) exists because the smart clock does not change its hardcoded credentials once it's set up and connected to the network. Therefore, an attacker could use a specially crafted command line argument to gain full control of the device using SSH or telnet if they already have network access.

Talos also alerted Lenovo that the clock’s hardcoded root password is weak and easily guessed or cracked. Even on low-end hardware, and with a basic dictionary, the brute force took less than a second.

The default username is “root” and the default password is “123456”.

The clock includes a built-in microphone to accept voice commands and connects to the popular Amazon Alexa smart home system and AI assistant.

The file system is accessible and offers enough room to install undesired software/services.

Cisco Talos worked with Lenovo to ensure that these issues are resolved and an update is available for affected users, all in adherence to Cisco’s vulnerability disclosure policy.

Users are encouraged to update these affected products as soon as possible: Lenovo Group Ltd. Smart Clock Essential, version 4.9.113. Talos tested and confirmed this version of the clock could be exploited by this vulnerability. Users should update to Lenovo Smart Clock Essential software version 90 or later to fix this vulnerability, according to Lenovo. (The version information can be checked in your Alexa App under “Devices.”)

The following Snort rule will detect exploitation attempts against this vulnerability: 61094. Additional rules may be released in the future and current rules are subject to change, pending additional vulnerability information. For the most current rule information, please refer to your Cisco Secure Firewall Management Center or Snort.org.