Tomofun Furbo Products Hard-Coded Password Vulnerability in Root Account Handler

A hard-coded password vulnerability has been identified in the Tomofun Furbo 360 and Furbo Mini devices. This vulnerability resides in the Root Account Handler component, where a hard-coded password for the local root user is stored on a read-only firmware partition, preventing modification or reset by the device owner. Exploitation of this vulnerability requires physical access to the device and knowledge of the password, allowing an attacker to connect via UART and gain root shell access. This access could be used to bypass authentication mechanisms, manipulate sensitive system components, and potentially extract or alter device credentials and firmware. The issue is particularly concerning for recycled or disposed devices, as previous users may retain access indefinitely. The vulnerability affects Furbo 360 devices through FB0035_FW_036 and Furbo Mini devices through MC0020_FW_074.

Impact

Exploitation of this vulnerability allows for unauthorized root access via a hard-coded password, enabling an attacker to manipulate system components and access sensitive information. This could lead to a permanent security risk, especially for second-hand or disposed devices.

Reproduction

The vulnerability can be reproduced by physically accessing a vulnerable Furbo device, such as the Furbo 360 or Furbo Mini, and connecting to it via UART. Knowledge of the hard-coded password is required to gain root shell access.