Attacker Value
Very Low
(1 user assessed)
Exploitability
Moderate
(1 user assessed)
User Interaction
None
Privileges Required
None
Attack Vector
Physical
1

CVE-2020-10263 - Smart Speaker Root Shell via internal UART

Disclosure Date: April 08, 2020
Add MITRE ATT&CK tactics and techniques that apply to this CVE.

Description

An issue was discovered on XIAOMI XIAOAI speaker Pro LX06 1.52.4. Attackers can get root shell by accessing the UART interface and then they can (i) read Wi-Fi SSID or password, (ii) read the dialogue text files between users and XIAOMI XIAOAI speaker Pro LX06, (iii) use Text-To-Speech tools pretend XIAOMI speakers’ voice achieve social engineering attacks, (iv) eavesdrop on users and record what XIAOMI XIAOAI speaker Pro LX06 hears, (v) modify system files, (vi) use commands to send any IR code through IR emitter on XIAOMI XIAOAI Speaker Pro LX06, (vii) stop voice assistant service, (viii) enable the XIAOMI XIAOAI Speaker Pro’ SSH or TELNET service as a backdoor, (IX) tamper with the router configuration of the router in the local area networks.

Add Assessment

3
Ratings
Technical Analysis

I came across this in a twitter thread here which highlights that, while it is true that many devices can be reverse engineered / cracked / taken apart / reprogrammed, etc. that in itself is not a vulnerability, it’s a feature! Simply having a debug port available inside of a consumer device is not any different than having an OBD-II port in a car. That’s what it’s there for. Having such a connection does make it easier to find more impactful attack vectors, lowering the barrier for security researchers to find other issues. You want folks to find bugs in your backend, certificate pinning, update protocol, etc.

In a related example, the smart toy mentioned in these advisories also had a root-shell enabled if you cut the stuffed animal apart and plug into the USB port on the circuit board. But the real interesting stuff was in the API gateway being remotely hijackable due to poor validation.

CVSS V3 Severity and Metrics
Base Score:
6.8 Medium
Impact Score:
5.9
Exploitability Score:
0.9
Vector:
CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Physical
Attack Complexity (AC):
Low
Privileges Required (PR):
None
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Vendors

  • mi

Products

  • xiaomi xiaoai speaker pro lx06 firmware 1.52.4

Additional Info

Technical Analysis