TrendMakers Sight Bulb Pro AES Encryption Key Exposure Vulnerability

A vulnerability exists in the TrendMakers Sight Bulb Pro during the initial setup phase when the device broadcasts an access point. In this phase, AES encryption keys are transmitted in cleartext. If intercepted, an attacker could decrypt communications between the management application and the Sight Bulb Pro, potentially revealing sensitive information such as network credentials. This issue affects Sight Bulb Pro Firmware ZJ_CG32-2201, version 8.57.83 and prior.

Impact

Exploitation of this vulnerability could allow an attacker to capture and decrypt sensitive information, including network credentials, from communications with the Sight Bulb Pro management app.

Remediation

Physical security measures should be implemented to reduce the risk of remote interception during the initial setup when the encryption key is transmitted in cleartext. Additionally, network monitoring or signature-based detection can be used to identify and respond to potential exploitation of this vulnerability.