Meari IoT SDK Hardcoded Cryptographic Keys Vulnerability

A vulnerability exists in the Meari IoT SDK, which is embedded in CloudEdge version 5.5.0 (build 220), Arenti version 1.8.1 (build 220), and various white-label Android applications version 1.8.x or earlier. This vulnerability involves multiple security-sensitive secrets that are hardcoded and shared across these platforms, including API signing materials, keys for password encryption during transmission, and service access keys. The presence of these static keys in client binaries undermines the security of trust decisions reliant on them, allowing for unauthorized data access and the potential for replay attacks across different brands and tenants that utilize the same SDK and backend infrastructure.

Impact

The hardcoded keys can be extracted from the application binaries and used to forge API requests, access unauthorized data, and automate attacks across the entire ecosystem of brands that use the Meari SDK. This vulnerability enhances the exploitation of other related vulnerabilities, such as unauthorized access to device WAN IPs and unencrypted alert images from baby monitors, by providing reusable signing contexts and facilitating large-scale automated abuse.

Reproduction

The vulnerability can be reproduced by decompiling the Meari CloudEdge application using a tool like Apktool, and then searching for the hardcoded keys in the output. The same keys can be found in the Arenti app and other white-label applications that use the Meari SDK. Once the keys are extracted, they can be used to sign API requests or authenticate P2P video sessions with cameras, exploiting the vulnerabilities related to unauthorized data access and replay attacks.

Remediation

There is no available remediation for this vulnerability, as the hardcoded keys cannot be rotated without re-flashing every device in the field.