Flock Safety Android Collins Application Unauthenticated Administrative API Access Vulnerability on Falcon and Sparrow Devices

A vulnerability exists in the Flock Safety Android Collins application version 6.35.31, used on Falcon and Sparrow License Plate Readers, as well as Bravo Edge AI Compute Devices. The application lacks authentication and exposes administrative API endpoints on port 8080. These endpoints, which include /reboot, /logs, /crashpack, and /adb/enable, can be accessed without authentication, leading to various impacts such as denial of service, information disclosure, and remote code execution. The /adb/enable endpoint allows an attacker on the same local network to gain shell access by starting ADB over TCP without confirmation, bypassing usual debugging permissions.

Impact

Exploitation of this vulnerability allows for unauthorized access to administrative API endpoints, leading to information disclosure, denial of service, and remote code execution. The latter provides shell access on the affected device, with root access not required.

Reproduction

The vulnerability can be reproduced by sending unauthenticated requests to the exposed API endpoints on port 8080. This can be done after connecting to the device's Wi-Fi hotspot, which is active by default. Once connected, the /adb/enable endpoint can be accessed to enable ADB over TCP, followed by connecting to the device via ADB and gaining shell access.