An issue was discovered on Alecto IVM-100 2019-11-12 devices. The device comes with a serial interface at the board level. By attaching to this serial interface and rebooting the device, a large amount of information is disclosed. This includes the view password and the password of the Wi-Fi access point that the device used.
b42befc858b86f3d8819791d933601caf73d18c43fef25ac1bf48bd2f453056c
An issue was discovered on Alecto IVM-100 2019-11-12 devices. The device uses a custom UDP protocol to start and control video and audio services. The protocol has been partially reverse engineered. Based upon the reverse engineering, no password or username is ever transferred over this protocol. Thus, one can set up the camera connection feed with only the encoded UID. It is possible to set up sessions with the camera over the Internet by using the encoded UID and the custom UDP protocol, because authentication happens at the client side.
30be5b3d8a4c41b0bd80dbb9c3ff49c1407c5db44ff864668aaab8728b0c851d
An issue was discovered in Lush 2 through 2020-02-25. Due to the lack of Bluetooth traffic encryption, it is possible to hijack an ongoing Bluetooth connection between the Lush 2 and a mobile phone. This allows an attacker to gain full control over the device.
a3c9d7fe9b813445303f460a981860ef365df6e220620ff212252ae3b3f0a3e7
An issue was discovered in Luvion Grand Elite 3 Connect through 2020-02-25. Authentication to the device is based on a username and password. The root credentials are the same across all devices of this model.
91634b6551f1c4552fd199be2e464137398cb4b429f2c78d26995a771a12cc5e
An issue was discovered in Luvion Grand Elite 3 Connect through 2020-02-25. Clients can authenticate themselves to the device using a username and password. These credentials can be obtained through an unauthenticated web request, e.g., for a JavaScript file. Also, the disclosed information includes the SSID and WPA2 key for the Wi-Fi network the device is connected to.
c1840a21faea62a36c6bc7e40c57e0e5b17eba2135cb46888a2b4014361ad916
An issue was discovered on One2Track 2019-12-08 devices. Confidential information is needlessly stored on the smartwatch. Audio files are stored in .amr format, in the audior directory. An attacker who has physical access can retrieve all audio files by connecting via a USB cable.
21d88cd70375a513ca358325971700e907cca09906e21a62eda4bd9a20252236
An issue was discovered on One2Track 2019-12-08 devices. Any SIM card used with the device cannot have a PIN configured. If a PIN is configured, the device simply produces a "Remove PIN and restart!" message, and cannot be used. This makes it easier for an attacker to use the SIM card by stealing the device.
c354352413f8666ba1eec42b7fabff8e3f67cfd24cf5d6949f74962a76b6e758
An issue was discovered on Sannce Smart HD Wifi Security Camera EAN 2 950004 595317 devices. The device by default has a TELNET interface available (which is not advertised or functionally used, but is nevertheless available). Two backdoor accounts (root and default) exist that can be used on this interface. The usernames and passwords of the backdoor accounts are the same on all devices. Attackers can use these backdoor accounts to obtain access and execute code as root within the device.
657ac530d2693dc4d1d5836de1dbd822079a8d222c079df2445c9b8a2d90f78d
An issue was discovered on Sannce Smart HD Wifi Security Camera EAN 2 950004 595317 devices. A local attacker with the "default" account is capable of reading the /etc/passwd file, which contains a weakly hashed root password. By taking this hash and cracking it, the attacker can obtain root rights on the device.
0565814322a8c520d48233f4208f575674bdcaee0dd5d4f8a76504f93a015dd4
An issue was discovered on Sannce Smart HD Wifi Security Camera EAN 2 950004 595317 devices. A crash and reboot can be triggered by crafted IP traffic, as demonstrated by the Nikto vulnerability scanner. For example, sending the 111111 string to UDP port 20188 causes a reboot. To deny service for a long time period, the crafted IP traffic may be sent periodically.
6ec2dd61152dfc79f755826cd417ef76f9308483fefb98de18929d3fc231ad62
An issue was discovered on Sannce Smart HD Wifi Security Camera EAN 2 950004 595317 devices. By default, a mobile application is used to stream over UDP. However, the device offers many more services that also enable streaming. Although the service used by the mobile application requires a password, the other streaming services do not. By initiating communication on the RTSP port, an attacker can obtain access to the video feed without authenticating.
850c930ab6136aac773a8e8414bf0c0de76c080804cb4d19d853a1e3a6ae67e2
An issue was discovered on Sannce Smart HD Wifi Security Camera EAN 2 950004 595317 devices. It is possible (using TELNET without a password) to control the camera's pan/zoom/tilt functionality.
4f111b524e1c6a2c13fe15aeb6f474b251ca164aab9366bbc9c9001930ad89b1
An issue was discovered in SeTracker2 for TK-Star Q90 Junior GPS horloge 3.1042.9.8656 devices. It has unnecessary permissions such as READ_EXTERNAL_STORAGE, WRITE_EXTERNAL_STORAGE, and READ_CONTACTS.
806a413eb345bf884dd2711847e2efb60cd41b51c64dc7189d3c7e0007fe10cc
An issue was discovered in Siime Eye 14.1.00000001.3.330.0.0.3.14. When a backup file is created through the web interface, information on all users, including passwords, can be found in cleartext in the backup file. An attacker capable of accessing the web interface can create the backup file.
72a75bc908066ff805bf1c11389d4cbededbfda26a83fc3356cb5a8e513b7675
An issue was discovered in Siime Eye 14.1.00000001.3.330.0.0.3.14. A command injection vulnerability resides in the HOST/IP section of the record settings menu in the webserver running on the device. By injecting Bash commands here, the device executes arbitrary code with root privileges (all of the device's services are running as root).
3633c78e948dbf68072a87d5a7c73a161e6a76ea536627422969fcefa860c12f
An issue was discovered in Siime Eye 14.1.00000001.3.330.0.0.3.14. By sending a specific request to the webserver, it is possible to enable the telnet interface on the device. The telnet interface can then be used to obtain access to the device with root privileges and a default password. This default telnet password is the same across all Siime Eye devices. In order for the attack to be exploited, an attacker must be physically close in order to connect to the device's Wi-Fi access point.
08e3afef0573d78ea250b0dc91eeb7d27035e90e117728f39fe1c8ad35ae60f3
An issue was discovered in Siime Eye 14.1.00000001.3.330.0.0.3.14. It uses a default SSID value, which makes it easier for remote attackers to discover the physical locations of many Siime Eye devices, violating the privacy of users who do not wish to disclose their ownership of this type of dev ice.
d5cd8275d1361533b51c94e30b650c6c16b66ac761cbac3cf6a4f0fce6ac4028
An issue was discovered in Siime Eye 14.1.00000001.3.330.0.0.3.14. The password for the root user is hashed using an old and deprecated hashing technique. Because of this deprecated hashing, the success probability of an attacker in an offline cracking attack is greatly increased.
4402161040c1e257f4fb22e2ce24e8e5c24e4316ce14cf14d3fa43ec14ca967d
An issue was discovered in Siime Eye 14.1.00000001.3.330.0.0.3.14. There is no CSRF protection.
1b4dfe24cfa2bbe9c0737b6cd595fc715eaa981c261cfb0dec4dc1161934e692
An issue was discovered on TK-Star Q90 Junior GPS horloge 3.1042.9.8656 devices. When using the device at initial setup, a default password is used (123456) for administrative purposes. There is no prompt to change this password. Note that this password can be used in combination with CVE-2019-20470.
e8053fe5ffde193ef64f389c10296bdc5332d86109140c7971011eee3c2c7921
An issue was discovered on TK-Star Q90 Junior GPS horloge 3.1042.9.8656 devices. Any SIM card used with the device cannot have a PIN configured. If a PIN is configured, the device simply produces a "Remove PIN and restart!" message, and cannot be used. This makes it easier for an attacker to use the SIM card by stealing the device.
71e557db13170d553f8222b252adfde3c496c8b680f843aad63c276633d096ae
An issue was discovered on TK-Star Q90 Junior GPS horloge 3.1042.9.8656 devices. It performs actions based on certain SMS commands. This can be used to set up a voice communication channel from the watch to any telephone number, initiated by sending a specific SMS and using the default password, e.g., pw,password,call,mobile_number triggers an outbound call from the watch. The password is sometimes available because of CVE-2019-20471.
c037e2ee83a5523ffd033fa937fdfb763b41df886c5224e3cf246b802481b761
An issue was discovered in WiZ Colors A60 1.14.0. Wi-Fi credentials are stored in cleartext in flash memory, which presents an information-disclosure risk for a discarded or resold device.
97d62dd567fb988f3824a1cbb6eab402cf63cfefc3ddcaca2c3268d749b6814d
An issue was discovered in WiZ Colors A60 1.14.0. The device sends unnecessary information to the cloud controller server. Although this information is sent encrypted and has low risk in isolation, it decreases the privacy of the end user. The information sent includes the local IP address being used and the SSID of the Wi-Fi network the device is connected to.
f549ef3c39fe38d7059dc9eac35c3af42528503ec1e98721a75f5dc9da7da20f
An issue was discovered in WiZ Colors A60 1.14.0. Applications use general logs to reflect all kind of information to the terminal. The WIZ application does also use logs, however instead of only generic information also API credentials are submitted to the android log. The information that is reflected in the logging can be used to perform authorized requests in behalf of the user and therefore controlling the lights just as the user can do using the application. In order to obtain the information access to the device logs is required. This can most easily be done via local access and also by other apps on rooted devices.
6492b2c8cbbe7c07a81425d4126782dccb464f0c1bd39f043a2040c848da6ea8