Inaba Denki Sangyo CHOCO TEI WATCHER mini Direct Request Vulnerability Allowing Data Manipulation and Unauthorized Access

A direct request vulnerability, also known as 'forced browsing', has been identified in all versions of the CHOCO TEI WATCHER mini (IB-MCT001) by Inaba Denki Sangyo Co., Ltd. This vulnerability allows remote attackers to send specially crafted HTTP requests that can result in unauthorized access to the product's data, deletion of that data, or alteration of the product's settings. Additionally, this vulnerability could be exploited in conjunction with other identified weaknesses in the same product, such as weak password requirements and client-side authentication issues, to gain unauthorized access and control over the device.

Impact

Exploitation of this vulnerability could lead to unauthorized access and manipulation of the device's data and settings. It also allows for covert surveillance by accessing live camera feeds without detection, and disruption of recorded footage related to production line stoppages, which could interfere with operational analysis and compliance requirements.

Remediation

Users are advised to operate the product within a local area network (LAN) and to block access from untrusted networks and hosts using firewalls. If internet access is necessary, a firewall or virtual private network (VPN) should be used to prevent unauthorized access, restricting internet connectivity to the minimum required. Furthermore, the handling of the product and its microSD card should be limited to authorized users only.