Tomofun Furbo 360 and Furbo Mini Bluetooth Low Energy Cleartext Transmission Vulnerability

A vulnerability exists in the Tomofun Furbo 360 and Furbo Mini devices, specifically in certain firmware versions, where Bluetooth Low Energy (BLE) is used to transmit sensitive information, such as Wi-Fi credentials, in cleartext. This vulnerability requires access to the local network and can be exploited by an attacker within BLE range, which is typically up to 50 meters. The issue arises in Furbo 360 devices running firmware through FB0035_FW_036 and Furbo Mini devices running firmware through MC0020_FW_074.

Impact

Exploitation of this vulnerability allows for unauthorized access to the victim's Wi-Fi network by intercepting transmitted Wi-Fi SSID and password information. This could lead to additional attacks on the Furbo device or other devices connected to the same network.

Reproduction

To reproduce this vulnerability, an attacker must be within Bluetooth Low Energy range of a Tomofun Furbo device that is being added to a new network. Once in range, the attacker can use a BLE sniffer to capture the cleartext transmission of the Wi-Fi SSID and password from the Furbo App to the device. This exploitation can be facilitated by first disconnecting the Furbo device from the network using a Bluetooth denial-of-service attack, creating an opportunity to intercept the sensitive information during the reconnection process.