Very Low
CVE-2020-10263 - Smart Speaker Root Shell via internal UART
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
Add References:
CVE-2020-10263 - Smart Speaker Root Shell via internal UART
MITRE ATT&CK
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Topic Tags
Description
An issue was discovered on XIAOMI XIAOAI speaker Pro LX06 1.52.4. Attackers can get root shell by accessing the UART interface and then they can (i) read Wi-Fi SSID or password, (ii) read the dialogue text files between users and XIAOMI XIAOAI speaker Pro LX06, (iii) use Text-To-Speech tools pretend XIAOMI speakers’ voice achieve social engineering attacks, (iv) eavesdrop on users and record what XIAOMI XIAOAI speaker Pro LX06 hears, (v) modify system files, (vi) use commands to send any IR code through IR emitter on XIAOMI XIAOAI Speaker Pro LX06, (vii) stop voice assistant service, (viii) enable the XIAOMI XIAOAI Speaker Pro’ SSH or TELNET service as a backdoor, (IX) tamper with the router configuration of the router in the local area networks.
Add Assessment
Ratings
-
Attacker ValueVery Low
-
ExploitabilityMedium
Technical Analysis
I came across this in a twitter thread here which highlights that, while it is true that many devices can be reverse engineered / cracked / taken apart / reprogrammed, etc. that in itself is not a vulnerability, it’s a feature! Simply having a debug port available inside of a consumer device is not any different than having an OBD-II port in a car. That’s what it’s there for. Having such a connection does make it easier to find more impactful attack vectors, lowering the barrier for security researchers to find other issues. You want folks to find bugs in your backend, certificate pinning, update protocol, etc.
In a related example, the smart toy mentioned in these advisories also had a root-shell enabled if you cut the stuffed animal apart and plug into the USB port on the circuit board. But the real interesting stuff was in the API gateway being remotely hijackable due to poor validation.
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportCVSS V3 Severity and Metrics
General Information
Vendors
- mi
Products
- xiaomi xiaoai speaker pro lx06 firmware 1.52.4
References
Additional Info
Technical Analysis
Report as Exploited in the Wild
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below: