Tomofun Furbo 360 and Furbo Mini GATT Service DeviceToken Information Disclosure Vulnerability

A vulnerability exists in the Tomofun Furbo 360 and Furbo Mini devices, specifically within certain firmware versions, where the GATT service improperly handles the DeviceToken argument. This flaw allows for information disclosure, as an attacker within the local network can intercept the DeviceToken, which is used for authenticating the device with Furbo's backend services. The exploitation of this vulnerability could lead to the unauthorized re-registration of the victim's device to a rogue account, disrupting the victim's access and functionality of the device.

Impact

Exploitation of this vulnerability allows for unauthorized access to the DeviceToken via Bluetooth Low Energy (BLE) communication. Interception of the DeviceToken could enable an attacker to re-register the victim's Furbo device to a different account, effectively locking the victim out of their device.

Reproduction

The vulnerability can be reproduced by using a BLE-capable adapter, such as the Nordic nRF52840, along with the necessary BLE libraries and the 'Furbo_Master.py' script. After ensuring proximity to the target Furbo Mini device, the script can be executed to scan and connect to the device. Once connected, the 'read_device_token' command can be used to extract the DeviceToken from the GATT characteristic. Following this, the intercepted DeviceToken can be used to spoof the victim's device by modifying the MAC address and replacing the DeviceToken in the device's setup information, allowing the attacker to take control of the device.