Tomofun Furbo 360 and Furbo Mini MQTT Client Certificate Hard-Coded Credentials Vulnerability

A vulnerability exists in the Tomofun Furbo 360 and Furbo Mini devices, specifically in certain firmware versions. The issue arises from a hard-coded MQTT client certificate in the file '/squashfs-root/furbo_img', which is not unique to each device. This flaw allows an attacker who decrypts the firmware to impersonate any Furbo device and connect to Furbo's MQTT infrastructure as a client. Once connected, the attacker can access the device IDs of all users and monitor their device interactions in real-time. This vulnerability could be exploited to determine when a device owner is home based on their device usage patterns.

Impact

Exploitation of this vulnerability allows for impersonation of Furbo devices, access to all user device IDs, and real-time monitoring of device interactions, potentially leading to privacy invasions by tracking when an owner is home.

Reproduction

To reproduce this vulnerability, retrieve and decrypt the Furbo firmware. After decompressing the firmware with a tool like binwalk, navigate to the '/squashfs-root/furbo_img' file. Decompress this file and access the MQTT client certificate. Using a MQTT client, subscribe to the Furbo MQTT endpoint with the hard-coded certificate and private key. This will allow observation of actions from every other Furbo device globally.