Mimo Baby CVE-2018-10825 – Spoofed attack injection

Authors:Victor Casares       Risk:High

CVE:CVE-2018-10825          0day:Spoofed attack injection 

0day -id:0DAY-176184         Date:2018-05-15

Description

Mimo Baby 2 devices do not use authentication or encryption for the Bluetooth Low Energy (BLE) communication from a Turtle to a Lilypad, which allows attackers to inject fake information about the position and temperature of a baby via a replay or spoofing attack.

Analysis

The turtle, sends information through BLE (Bluetooth Low Energy) to Lilypad and this is responsible for uploading that information to an IoT cloud, from which the Smartphone will obtain the corresponding data.

The same vendor explains this operation graphically:

One of the problems that we found is that the application does not perform an adequate validation of the permissions when sending the information from the Lilypad (IP: 10.42.0.107) to the IoT cloud (3.x.x.3). In a Wireshark capture we can see that the Lilypad performs a simple GET to the nine IoT passing the data received from the Turtle to BLE.

Analyzing the packets we did not see any authentication in them, therefore, anyone could send packets to the IoT cloud, knowing the format of the payload, sending and altering within it values that correspond to the position or temperature of a baby. These values would reach the IoT cloud and then be downloaded automatically by the Smartphone.

POC

On the other hand, we know that a turtle can only be registered by a user, but … the turtle IDs are predictable and the application allows the sending of multiple requests in a few seconds, so it would be possible to register all those turtles that have not previously registered, including, the new turtles that will be sold in the future, this weakness would cause a denial of service in users who wish to use the product, if the turtle was already registered by a “malicious individual”, since, As we mentioned earlier, one turtle can not register twice. The image below shows the above:

On the other hand, we know that a turtle can only be registered by a user, but … the turtle IDs are predictable and the application allows the sending of multiple requests in a few seconds, so it would be possible to register all those turtles that have not previously registered, including, the new turtles that will be sold in the future, this weakness would cause a denial of service in users who wish to use the product, if the turtle was already registered by a “malicious individual”, since, As we mentioned earlier, one turtle can not register twice. The image below shows the above:

Another vulnerability that we would like to mention is the possibility of making a medium man attack through BLE, due to the weak configuration of the devices, which do not use any mechanism to encrypt the communication, it is possible to attack middle man and then perform Replay attacks, which would be reflected in the mobile application.

proof of concept

Leave a Reply