Minut M2 Cryptographic Key Extraction Vulnerability Allowing Firmware Injection and Device Takeover
Vulnerability
A vulnerability in Minut M2 IoT devices with firmware versions through #15142 allows physically proximate attackers to extract cryptographic keys from the device's internal flash. These keys can then be used to inject modified firmware into other Minut M2 devices via USB. The injected firmware could include surveillance capabilities, potentially spying on guests and exfiltrating data over the network. This vulnerability could also be exploited to disrupt the device's intended function of monitoring noise levels and occupancy for short-term rental hosts.
Impact
Exploitation of this vulnerability could lead to unauthorized control over the affected device, allowing the attacker to manipulate its functions and potentially introduce surveillance capabilities that violate guest privacy.
Remediation
Minut M2 owners should update their devices to firmware version #1056696 or later.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.