Meari IoT SDK Weak XOR Obfuscation Vulnerability in Image Handling

A vulnerability exists in the Meari IoT SDK's image processing within the library libmrplayer.so, as seen in CloudEdge version 5.5.0 (build 220), Arenti version 1.8.1 (build 220), and other related white-label applications version 1.8.x or earlier. The issue arises with baby monitor alert images saved as '.jpgx3' files, which are obfuscated using a reversible XOR operation applied only to the first 1024 bytes. This obfuscation employs a predictable key derived from the image's serial number, allowing for easy decryption and access to the original image content.

Impact

Exploitation of this vulnerability allows for the unauthorized access and viewing of private images captured by the baby monitor, effectively compromising the privacy of the monitored environment.

Reproduction

The vulnerability can be reproduced by first obtaining a '.jpgx3' image from a Meari baby monitor, which can be done by accessing the public Alibaba OSS bucket where these images are stored without authentication. Once the image is downloaded, the first 1024 bytes can be decrypted by applying an XOR operation with a key derived from the image's serial number, which is also accessible through the MQTT broker or the OpenAPI device status endpoint.