Tomofun Furbo Products GATT Service Access Control Vulnerability

A vulnerability allowing improper access control has been identified in the Tomofun Furbo 360 and Furbo Mini cameras. This issue affects specific firmware versions of both products and involves the GATT (Generic Attribute Profile) service, which is used for Bluetooth Low Energy (BLE) communication. The vulnerability allows an attacker within BLE range to send read requests to a characteristic that exposes the 'p2puuid', a unique identifier for routing video streams through the Furbo backend. Exploiting this vulnerability can disrupt the normal video streaming process by replacing a victim's stream with that of the attacker's device.

Impact

Exploitation of this vulnerability allows for unauthorized access to sensitive identifiers that can be used to manipulate video stream routing, causing a disruption in the normal functionality of the Furbo Mini or Furbo 360 device.

Reproduction

To reproduce this vulnerability, first acquire a Bluetooth Low Energy adapter and install the necessary dependencies, such as 'bleak' or 'bluepy'. Then, obtain the custom 'Furbo_Master.py' script. Ensure the attacking device is within BLE range of the target Furbo device. Run the 'Furbo_Master.py' script to scan and connect to the Furbo device. After establishing a connection, execute commands to read the 'p2puuid' from the GATT characteristic. Once the identifier is obtained, update the attacker's device information to include the victim's details, delete the default authentication file, and reboot the device. The attacker's device will then receive the victim's video stream through the Furbo app.