Summary
For actuators with AC.2 controls and PROFOX actuators, a wrong configuration occurred for deliveries within the period from 01.01.2024 to 09.05.2025. Despite the ordered option "L90.00 = Bluetooth always deactivated", these actuators were delivered with an activated Bluetooth module which would allow an attacker to utilize the Bluetooth interface. It is possible to deactivate the Bluetooth interface of the affected actuators after the delivery using the standard procedures listed in the manuals.
Impact
An unexpectedly activated Bluetooth module can lead to unwanted fingerprinting of the Bluetooth data by an attacker.
Affected Product(s)
| Model no. | Product name | Affected versions |
|---|---|---|
| AC1.2 delivered between 01.01.2024<09.05.2025 | AC1.2 delivered between 01.01.2024<09.05.2025 | |
| PROFOX delivered between 01.01.2024<09.05.2025 | PROFOX delivered between 01.01.2024<09.05.2025 |
Vulnerabilities
Expand / Collapse allDue to an undocumented active bluetooth stack on products delivered within the period 01.01.2024 to 09.05.2025 fingerprinting is possible by an unauthenticated adjacent attacker.
Remediation
As the Bluetooth interface is not required for normal operation, it is advisable to only activate it or only use it once it is needed, e.g. when configuring the actuator or reading diagnosis data. Under normal operating conditions, it should be deactivated.
Revision History
| Version | Date | Summary |
|---|---|---|
| 1 | 10.06.2025 12:00 | Initial revision |